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Abstract 

Timed  Logic  Conformance  (TLC)  is  used  to  verify  the  behavioral  and  timing  properties  of 
detailed  digital  circuits  against  abstract  circuit  specifications  when  both  are  modeled  as  Timed 
Safety  Automata  (TSA)  with  real-valued  clocks.  TLC  is  a  bisimulation-style  partial  order  relation¬ 
ship  defined  over  TSA  state  space.  In  contrast  to  timed  simulation,  Calculus  of  Timed  Refinement, 
and  time-abstracted  bisimulation,  TLC  defines  when  one  system  is  an  acceptable  implementation 
of  another  by  asymmetric  action-matching  requirements  for  specification  inputs  and  implemen¬ 
tation  outputs.  TLC  intuitively  and  pragmatically  supports  writing  abstract  specifications  and 
verifying  them  against  implementations.  TLC  scales  up  by  substituting  verified  specifications  for 
implementations  and  hierarchically  verifying  larger  systems.  The  TLC  verification  process  is  more 
efiicient  than  the  circularly  dependent  assumes-guarantees  verification  methodology.  Instead  of 
building  models  of  the  system’s  environment  and  using  them  in  the  verification  process,  the  TLC 
verification  methodology  explicitly  captures  environmental  timing  properties  in  the  system  specifi¬ 
cation  and  automatically  ensures  they  are  satisfied  in  the  TLC  relation.  The  region-automata-based 
Timed  Logic  Conformance  System  (TLCS)  implements  TSA  parallel  composition  and  a  TLC  deci¬ 
sion  procedure.  TLCS  is  used  to  hierarchically  verify  the  STAR!  (Self-Timed  at  Receiver’s  Input) 
asynchronous  circuit  for  communicating  safely  between  clock-skewed  systems. 
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TIMED  SAFETY  AUTOMATA  AND  LOGIC  CONFORMANCE 


I.  Introduction 

“Counting  time  is  not  nearly  as  important  as  making  time  count”  — Anonymous 

1.1  Background 

As  the  practice  of  specifying,  designing,  and  building  computer-based  systems  evolves,  ad-hoc 
design  methodologies  are  less  and  less  practical.  Integrated  electronic  circuit  complexity  is  growing 
exponentially.  Today,  designs  with  over  a  million  transistors  on  a  single  silicon  chip  are  being 
fabricated,  and  the  technology  is  doubling  the  number  of  transistors  possible  every  18  months.  At 
the  same  time  more  and  more  functions  are  being  automated  eind  our  dependence  on  electronic 
technology  is  increasing  exponentially.  For  example,  automotive  engineers  are  working  on  computer 
systems  that  will  electronically  steer,  accelerate,  brake — i.e.,  totally  control  the  vehicle — without  a 
mechanical  connection  to  the  driver.  Unfortunately,  the  ability  to  verify  such  complex  systems  has 
not  kept  pace  with  the  ability  to  fabricate  them.  The  risk  to  life  and  safety  imposed  by  error-prone 
computerized  systems  in  military,  transportation,  industrial,  and  household  control  applications 
is  unacceptable.  Building  custom  systems  from  the  ground  up  is  also  very  expensive  and  time 
consuming.  Consequently,  computer  scientists  and  computer  engineers  incorporate  math-based 
engineering  discipline  into  the  process  of  specifying,  designing,  building,  and  verifying  these  systems 
hierarchically  by  using  and  reusing  mathematical  models.  This  math-based  computer  engineering 
discipline  is  generally  called  “Formal  Methods”  (LM91,  HJ95,  CW96). 

Formal  methods  practitioners  write  formal  specifications  and  prove  that  the  models  of  the 
systems  they  create  satisfy  those  specifications.  Then,  they  use  the  model  to  build  the  physical 
system — usually  by  a  combination  of  automatic  (i.e.,  computerized)  and  manual  transformations. 
Hopefully,  the  physical  system  has  the  same  properties  that  were  proven  about  the  model  it  was 
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derived  from.  In  order  to  improve  the  correspondence  between  the  model  and  the  physical  system, 
more  accurate  models  and  more  automated  transformation  processes  are  always  in  order.  Formal 
methods  have  been  used  successfully  to  verify  the  function  (i.e.,  the  logical  or  mathematical  relation¬ 
ship  between  a  system’s  inputs  and  outputs)  of  some  relatively  complex  systems  (Rus95,  CW96). 

In  addition  to  verifying  the  systems  function,  one  of  the  most  demanding  areas  in  formal 
methods  is  specifying  the  system’s  timing  requirements,  modeling  the  timing  of  the  behavior,  and 
deciding  whether  the  system  satisfies  the  timing  requirements  (CW96).  For  example,  if  the  terrain 
following  control  system  of  an  aircraft  cannot  recognize  a  mountain  looming  in  the  foreground 
and  turn  the  aircraft  or  increase  its  altitude  in  time  to  avoid  hitting  the  mountain,  then  it  does 
not  matter  that  the  control  system  is  functionally  correct.  For  over  15  years,  the  timing  problem 
has  occupied  the  interests  of  theoretical  computer  scientists  but  with  relatively  little  pragmatic 
application  to  real-world  size  problems,  especially  with  regard  to  a  continuous  rather  than  discrete 
model  of  time. 

Prior  to  1991,  this  work  was  primarily  concerned  with  temporal  logic  relationships  between 
system  events  (A1183,  A1184,  Das85,  JM86,  Lad86,  HP87,  Tsa87,  GF88,  BGS89,  Jah89,  GF90,  LA90, 
MC90).  Standard  temporal  logic  does  not  quantitatively  relate  events  to  each  other;  rather  it  qual¬ 
itatively  describes  the  relationship  between  two  events;  e.g.,  given  events  a  and  6,  a  precedes  b 
or  b  precedes  a  are  two  possibilities.  Temporal  logic  also  extends  the  relationships  with  quanti¬ 
fiers;  e.g.,  event  a  sometimes  (or  always)  proceeds  event  6.  Prom  1991  to  1993,  work  proceeded 
to  specify  quantitative  timing  relationships  between  events,  but  it  was  limited  to  computing  in¬ 
tegral  timing  relationships;  e.g.  b  occurs  between  one  and  three  time  units  after  a  might  express 
either  a  continuous  or  discrete  time  relationship  (AR91,  Dan92,  GI91,  RR92,  Mol91,  Cer92,  CH92, 
GI92,  ACD93,  CHLM93,  Dav93,  Jen93,  LBGG94).  Generally  only  discrete  timing  relationships 
could  be  computed  and  verified.  From  1993  to  the  present,  representing  and  reasoning  about  real¬ 
valued  timing  relationships  between  events  has  been  possible  when  integers  are  used  to  specify 
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time  bounds  (ACH94,  CLK94,  HNSY94,  HB94,  MRM94,  Kan95,  Hen95,  MP95,  SY96,  TAKB96, 
ABK''‘97,  LLPY97,  EAP98).  Most  of  the  work  has  focused  on  checking  whether  or  not  certain 
quantitative  temporal  logic  properties  hold  in  a  given  model,  but  little  work  has  been  done  to 
formally  define  and  compute  the  timing  relationship  between  two  system  models. 

The  aim  of  this  research  is  to  advance  the  practical  specification  of  and  reasoning  about  the 
timing  properties  of  the  models  computer  scientists  and  electrical  engineers  use  to  build  systems. 
In  particular,  this  research  is  targeted  at  specifying  the  behavior  and  timing  of  a  desired  electronic 
circuit  and  comparing  it  to  timed  models  of  circuit  implementations  to  see  if  the  behavioral  and 
timing  properties  of  the  circuit  implementation  are  consistent  with  the  desired  circuit.  Typically, 
the  desired  circuit  and  implementation  circuit  models  are  at  different  levels  of  abstraction;  i.e.,  the 
desired  circuit  model  is  much  less  detailed  than  the  implementation  circuit  model.  This  research 
uses  models  with  binary  functional  domains  (i.e.,  voltage  levels  are  either  true  or  false)  and  a 
continuous  time  domain  (i.e.,  time  is  modeled  and  measured  by  real-valued  clocks). 

One  of  the  most  widely  used  models  of  behavior  with  formal  semantics  is  the  Finite  State 
Machine  (FSM).  FSMs  are  fundamental  building  blocks  for  defining  and  proving  properties  of 
languages,  protocols,  computational  complexity,  etc.  A  basic  FSM  is  a  set  of  states  and  a  set  of 
transitions  between  those  states.  For  the  purpose  of  modeling  and  building  computer  systems, 
engineers  typically  associate  a  meaning  with  the  FSM  by  labeling  its  transitions  and/or  states  with 
names  that  represent  some  action  or  process.  The  Basic  FSM  on  the  left  of  Figure  1  is  an  example 
representing  a  process  or  agent  that  inputs  a  and  outputs  b_.  Changes  in  input  or  output  value 
from  true  to  false  or  vice  versa  are  called  events.  In  this  document,  events  are  distinguished  by 
labeling  transitions  with  alpha-numerical  input  and  output  names;  output  names  have  overbars  or 
terminating  underscores  to  distinguish  them  from  inputs.  Various  flavors  of  FSM  exist,  and  logics 
called  process  algebras  have  been  created  to  use  intuitive  and  concisely-defined  FSMs  to  model 
and  reason  about  behavior  (Hoa85,  Mil80,  Mil89).  The  process  algebra  Calculus  of  Communicating 
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Systems  (CCS)  FSM  in  Figure  1  represents  the  same  behavior  as  the  Basic  FSM  with  concise  CCS 


syntax. 


— W- — 

s 

J 

S 

S::=  a.b_.S 

S::=a.[l,3].b_.S 

k>=l  ( 

}ro’ 

SI 

f 

SI 

k<=3 

Basic  FSM 

CCS  FSM 

CTR  FSM 

TSA 

Figure  1.  Simple  State  Machines. 


Since  today’s  systems  are  composed  of  many  different  concurrently  functioning  subcompo- 
nents,  often  without  a  common  reference  to  time,  designers  must  be  able  to  model  and  reason 
about  subcomponent  interactions  in  a  timed  calculus.  Naturally,  this  led  to  timed  variants  of  pro¬ 
cess  algebras  (MT92,  Kri92,  CH92,  Dav93,  LBGG94,  Cer95).  The  Calculus  of  Timed  Refinement 
(CTR)  (Cer95)  FSM  in  Figure  1  represents  almost  the  same  behavior  as  the  Basic  and  CCS  FSMs, 
except  that  it  constrains  output  b_  to  occur  between  1  and  3  time  units  after  input  a. 

Untimed  process  algebras  and  FSM  models  have  been  widely  used  to  build  complex  real-world 
systems,  but  timed  process  algebras  have  not  been  effectively  used  to  define  and  build  real-world 
systems  because  of  the  computational  complexity  of  accurately  representing  and  reasoning  about 
the  relationship  between  time  and  behavior.  Discrete  models  of  time  reduce  the  complexity  enough 
to  computationally  reason  about  timed  FSMs,  but  since  time  passes  continuously  and  not  in  discrete 
steps,  discrete  models  sacrifice  fidelity.  Discrete  models  only  allow  events  to  occur  at  discrete  time 
intervals  with  regard  to  each  other — ^i.e.,  they  are  synchronized  even  when  they  share  no  causal 
dependency.  Discrete  timing  models  ignore  the  temporal  independence  of  events.  The  CTR  FSM 
in  Figure  1  can  be  considered  either  a  discrete  or  continuous  semantic  model.  Discrete  semantics 
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has  a  b.  transition  either  1,  2,  or  3  time  units  after  a;  continuous  semantics  has  an  infinite  number 
of  b_  transitions  between  1  and  3  time  units  after  a.  In  the  latter  case  the  CTR  FSM  is  not  really 
a  finite  state  machine  at  all.  If  integers  are  used  to  specify  delay  bounds,  time  equivalence  classes 
can  finitely  represent  indistinguishable  infinite  behaviors,  so  the  term  “FSM”  will  continue  to  be 
used  to  generically  refer  to  the  different  models  of  computation  in  this  document. 

There  are  basically  two  ways  to  reason  about  the  behavior  of  FSMs:  model  checking  and 
equivalence  checking.  Model  checking  is  the  process  of  checking  the  state  space  of  a  single  FSM 
to  verify  that  it  satisfies  or  possesses  a  given  property.  Model  checking  properties  are  expressed  in 
a  modal  logic  or  modal  p-calculus  (SS94,  ANB95).  Modal  logic  is  related  to  modal  /i-calculus  in 
the  way  that  propositional  logic  is  related  to  predicate  logic,  except  the  distinguished  modal  carrier 
elements  are  no-states  and  all-states  and  the  distinguished  propositional  logic  carriers  are  false  and 
true.  If  a  FSM  satisfies  a  given  modal  logic  or  modal  /x-calculus  property,  the  FSM  “models”  the 
property.  An  example  modal  logic  expression  specifying  a  property  of  the  FSMs  depicted  in  Figure  1 
is  [o]{6_)T' ,  i.e.,  after  every  a,  there  exists  a  b.  action  leading  to  some  state.  Properties  like  deadlock, 
livelock,  and  virtually  any  temporal  relationship  between  actions  of  FSM  can  be  specified  by  n- 
calculus  or  temporaI-/i-calculus  expressions  and  model  checked  against  FSM.  Relatively  efficient 
continuous-time  model  checking  algorithms  have  been  developed  and  implemented  to  support  timed 
model  checking  (FP93,  CGL+94,  SS95,  CL96b,  CL96a,  LLPY97). 

Equivalence  checking  is  the  process  of  comparing  two  FSMs  to  each  other,  and  determin¬ 
ing  if  the  two  machines  are  similar  in  some  sense.  There  are  various  ways  to  unambiguously  define 
equivalence  relationships  between  FSMs.  Some  equivalence  relationships  preserve  behavioral  prop¬ 
erties,  and  some  do  not.  R.  J .  van  Glabbeek’s  work  is  a  comprehensive  discussion  about  the  relative 
strength  of  different  equivalence  relations  between  FSMs  and  the  properties  they  preserve  (van90). 
Some  equivalence  relationships  are  simply  too  strong  to  be  of  practical  use;  others  are  too  weak 
to  preserve  some  important  properties.  Typically  the  equivalence  relations  strong  enough  to  pre- 
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serve  all  properties  do  not  give  designers  enough  freedom  of  implementation  to  design  efficient 
systems.  Since  designers  cannot  feasibly  write  down  all  the  formulas  necessary  to  specify  all  of  the 
important  relationships  between  input  and  output,  typical  formal  specifications  consist  of  both 
properties  and  an  abstract  model  of  the  desired  behavior.  Developing  an  implementation  that  sat¬ 
isfies  the  specified  properties,  and  which  is  “equivalent  to”  or  “implements”  the  function  described 
by  the  abstract  model  is  the  designer’s  problem.  Therefore,  theoretically  sound  formal  methods 
tools  for  both  model  and  equivalence  checking  are  important  (Pnu98). 

Perhaps  the  first  reason  timed  process  algebras  have  not  been  effectively  used  to  define  and 
build  real-world  systems  is  that  timed  process  algebras  add  considerable  complexity  to  the  untimed 
logics  they  are  derived  from;  this  makes  it  hard  for  humans  to  intuitively  understand  the  properties 
and  the  models.  Perhaps  the  second  reason  is  that  timed  process  algebras  are  not  expressive 
enough  to  specify  the  kinds  of  timing  requirements  and  properties  inherent  in  today’s  concurrent 
systems— especially  asynchronous^  concurrent  systems.  The  fundamental  limitation  has  been  the 
fact  that  timed  process  algebras  typically  only  allow  one  to  express  integral  time  passing  and 
then  only  between  two  successive  events.  To  be  truly  useful,  one  must  be  able  to  specify  the  timing 
relationship  between  any  two  events  in  a  system,  and  model  behavior  that  occurs  over  a  continuum, 
not  just  in  discrete  integral  time  steps. 

For  these  reasons,  since  the  early  90’s,  there  has  been  a  lot  of  work  to  formalize  real-time 
behavior  using  continuous  models  of  time  and  behavior  like  Timed  Safety  Automata  (AD94)  and 
implement  decision  procedures  for  timed  model-  and  equivalence-checking.  A  Timed  Safety  Au¬ 
tomaton  (TSA)  is  a  FSM  that  is  augmented  with  real- valued  clocks,  location  invariant  clock 
predicates,  and  transition  guard  clock  predicates.  The  clocks  and  predicates  support  intuitive 
specification  of  the  time  and  behavior  relationship.  TSA  are  more  expressive  than  timed  pro¬ 
cess  algebras  because  they  express  time  relationships  between  any  two  events  and  also  between 
^Asynchronous  system  components  do  not  have  a  common  clock. 
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events  and  states  in  the  model.  This  expressiveness  makes  them  syntactically  more  complex  than 
the  concise  notation  of  a  process  algebra.  For  example,  the  TSA  in  Figure  1  expresses  the  same 
stimulus-response  relationship  between  input  a  and  output  b_  as  the  CTR  FSM,  but  it  also  relates 
occurrences  of  a  to  each  other  via  a  stimulus-stimulus  relationship;  i.e.,  a  actions  are  at  least  2  time 
units  apart.  TSA  can  specify  any  relationship  between  actions  of  a  system  because  clocks  (like  k 
in  this  example)  can  be  reset  and  referenced  arbitrarily. 

Underlying  the  intuition  of  TSA  is  a  semantically  precise  uncountable-state  state  machine.  In 
order  to  reason  about  the  behavior  of  such  a  machine  in  a  computer,  behavior-distinguishing  subin¬ 
tervals  of  multiple  real-valued  TSA  clock  times  are  symbolically  represented  in  another  FSM  called 
a  Region  Automaton  (RA).  For  systems  with  multiple  clocks,  the  different  possible  combinations 
of  subintervals  are  called  regions.  For  an  n-clock  TSA,  regions  are  subsets  of  R”.  Unfortunately, 
RA  suffer  from  state  explosion  for  systems  with  more  than  a  few  clocks.  The  requirement  that 
all  clocks  advance  at  the  same  rate  and  the  data  structures  necessary  to  correctly  maintain  the 
relationships  between  the  clocks  causes  this  state  explosion. 

Limiting  the  state-explosion  problem  in  RA-based  model-checking  and  equivalence-checking 
algorithms  has  been  of  considerable  interest  in  the  past  few  years.  The  primary  means  of  controlling 
the  state-explosion  problem  for  model  checking  has  been  to  limit  the  state  space  explored  to  only 
that  necessary  to  verify  the  property.  But,  since  equivalence  checking  generally  involves  comparing 
all  of  the  reachable  states  of  the  models,  it  has  been  limited  to  those  problems  involving  a  handful  of 
clocks  and  very  simple  models,  or  to  quite  loose  definitions  of  equivalence  and  extra  proof  obligations 
(e.g.,  the  assumes-guarantees  proof  requirements  of  Berkeley’s  COSPAN  system  (TB97))  defining 
when  users  can  rely  on  the  loose  equivalence  relations. 
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L2  Problem  Statement 


In  the  big  picture,  the  most  abstract  problem  statement  is,  “Incorporate  timeliness  into  system 
requirements  and  models  and  then  design  reliable  constraint  satisfying  systems.”  This  certainly 
includes  this  research,  but  it  more  accurately  describes  the  research  efforts  of  hundreds  of  computer 
scientists  and  electrical  engineers  over  the  past  15  years.  The  following  research  objectives  narrow 
the  scope: 

1.  Adopt  or  create  a  simple  modeling  formalism  rich  enough  to  express  discrete- valued  behavioral 
properties  and  timeliness  requirements  of  digital  circuits  while  modeling  continuous  time. 

2.  Canonically  define  how  to  model  digital  circuit  components  and  specify  required  behaviors 
and  timing  using  the  modeling  formalism. 

3.  Formally  define  a  practical  relationship  that  expresses  when  one  model  satisfies  the  timing  and 
behavioral  requirements  of  another.  Prove  that  the  relation  has  the  necessary  mathematic 
properties  for  meaningful  verification. 

4.  Write  a  tractable  computational  procedure  that  calculates  when  the  relation  holds  between 
two  models. 

5.  Demonstrate  the  utility  of  the  relation  on  benchmark  digital  circuit  design  problems. 

6.  Define  a  verification  methodology  for  using  the  relation  to  efficiently  and  hierarchically  verify 
larger  systems. 

1,3  Organization 

The  remainder  of  this  document  discusses  how  the  research  objectives  are  met.  Chapter  II 
reviews  more  formally  how  state  machines  are  used  by  others  to  model  and  reason  about  behav¬ 
ior.  It  describes  the  foundation  for  this  work  and  sets  the  stage  for  seeing  and  understanding  the 
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contribution  of  this  research.  It  does  so  by  defining  and  critiquing  the  syntax,  semantics,  and 
relationships  for  several  example  formalisms.  Chapter  II  discuss  the  process  algebra  CCS  in  con¬ 
siderable  detail  and  defines  both  strong  and  weak  notions  of  “equivalence”  between  CCS  automata. 
It  introduces  and  explains  Ken  Stevens^  more  practical  untimed  Logic  Conformance  relation,  and 
the  timed  formalism  Timed  CCS.  Finally,  it  defines  and  explains  the  assumes-guarantees-based 
verification  methodology  for  timed  processes  as  implemented  in  the  COSPAN  tools  from  U.C.  at 
Berkeley. 

Chapter  III  defines  the  syntax  and  semantics  of  the  modeling  formalism  used  in  this  research. 
The  Timed  Safety  Automata  (TSA)  modeling  formalism  is  successfully  used  by  others  for  eflScient 
model  checking,  and  it  is  extended  to  support  this  research.  Chapter  III  defines  an  induced  dense¬ 
time  semantic  model  for  reasoning  about  TSA  behavior  called  Dense  Labeled  Transition  System 
(DLTS).  It  defines  how  to  generate  one  TSA  from  another  one  by  restricting,  hiding,  or  renaming 
its  actions.  Finally,  Chapter  III  defines  how  to  compose  TSA  in  parallel  to  make  larger  and  more 
complex  circuit  models. 

Chapter  IV  defines  the  weak  “equivalence”  relationship  called  Timed  Logic  Conformance 
(TLC).  TLC  is  a  timed  version  of  Ken  Stevens’  Logic  Conformance  relation.  TLC  is  actually 
a  partial  order  over  the  state  space  of  DLTS.  This  definition  introduces  abstractions  that  allow 
temporal,  structural,  and  behavioral  differences  between  the  compared  systems  in  a  practical  way. 
Chapter  IV  establishes  that  TLC  has  the  necessary  mathematic  properties  to  be  a  useful  relationship 
for  efficiently  proving  when  one  model  is  “equivalent  to”  or  “implements”  another. 

Chapter  V  describes  a  finite  representation  of  DLTS  that  the  Timed  Logic  Conformance 
System  (TLCS)  uses  to  decide  whether  or  not  two  TSA  satisfy  the  TLC  “equivalence”  relationship. 
It  describes  the  TLCS  rules  and  procedures  that  efficiently  implement  the  TLC  decision  procedure, 
and  concludes  with  a  description  of  the  TLCS  TSA  input  format,  TLCS  TSA  parallel  composition, 
and  TLCS  user  interface. 
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Once  the  TSA  and  TLC  definitions  and  proofs  have  been  completed  in  Chapters  III  and  IV, 
and  the  TLCS  system  is  described  in  Chapter  V,  Chapter  VI  demonstrates  how  TLCS  can  be 
used  to  compare  models  of  electronic  circuits  in  a  practical  way.  It  demonstrates  TLCS’s  utility 
on  several  examples,  and  it  defines  canonical  modeling  practices  that  increase  the  fidelity  of  the 
circuit  models.  Chapter  VI  compares  TLCS  verification  results  with  others  in  the  literature  and  it 
concludes  with  a  summary  of  the  benefits  of  the  TLC  methodology  and  tools. 

Finally,  Chapter  VII  summarizes  this  research,  enumerates  its  contributions,  and  outlines 
future  work. 
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IL  Existing  Models  and  Relationships 

This  chapter  prepares  the  reader  to  appreciate  and  understand  the  novel  approach  to  the  problem 
of  modeling  the  behavior  and  timing  of  a  desired  electronic  circuit  and  verifying  its  consistency 
with  circuit  implementation  models  in  the  subsequent  chapters.  This  chapter  reviews  and  explains 
several  example  formalisms  for  modeling  and  reasoning  about  the  “equivalent”  behavior  of  con¬ 
current  systems.  For  each  formalism,  it  defines  the  syntax  of  the  model,  model  semantics,  and 
relationships  between  models. 

Starting  with  untimed  process  algebraic  models  and  mathematical  relationships  between  these 
models,  Section  2.1  shows  that  these  models  are  not  expressive  enough  to  capture  the  relationship 
between  time  passing  and  action.  It  explains  how  equivalence  relations  between  processes  are 
not  structurally  and  behaviorally  loose  enough  to  give  designers  the  freedom  they  need  to  design 
efficiently.  It  gives  an  example  partial  order  relation  that  provides  a  significantly  more  practical 
notion  of  “equivalence”  between  untimed  processes  because  it  safely  gives  the  designer  structural 
and  behavioral  looseness. 

Section  2.2  and  describes  and  defines  three  representative  timed  modeling  formalisms  and 
several  strong  and  loose  “equivalence”  relationships  between  timed  models.  It  reveals  some  expres¬ 
siveness  problems  with  these  formalisms,  and  it  critiques  the  verification  methodologies  that  they 
support. 

2,1  Untimed  Models  and  Relationships 

A  process  algebra  is  a  mathematical  behavior-modeling  language  with  operational  seman¬ 
tics;  i.e.,  semantics  defined  by  rules  used  to  evaluate  the  meaning  of  sentences  in  the  language. 
Process  algebras  are  used  to  describe  and  reason  about  the  behavior  of  concurrent  systems.  Hoare’s 
Communicating  Sequential  Processes  (CSP)  (Hoa85)  and  Milner’s  Calculus  of  Communicating  Sys¬ 
tems  (CCS)  (Mil80,  Mil89)  are  process  algebras.  CSP  and  CCS  were  both  originally  conceived  in 
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the  early  1980’s,  and  they  are  still  widely  used  because  of  their  firm  theoretical  foundation  and 
their  simplicity. 

Generally  CSP  is  a  more  complex  language  than  CCS  and  it  uses  traces  (sequences  of  ac¬ 
tions)  to  compare  processes  while  generally  ignoring  the  effects  internal  actions  can  have  on  trace 
generation.  If  two  CSP  processes  can  generate  the  same  set  of  traces,  refusals,  or  failures,  they  are 
considered  weakly  equivalent.  CCS  and  CSP  have  the  same  theoretical  expressive  power;  both  are 
Turing  complete  (Mil89).  CCS  models  are  called  “agents”.  Instead  of  comparing  agents  by  the 
traces  they  can  generate,  CCS  agents  are  distinguished  from  one  another  by  notions  of  bisimulation 
(i.e.,  comparing  the  agents  on  a  state-by-state,  action-by-action  basis  to  see  if  they  can  always  sim¬ 
ulate  one  another  or  not).  Since  CCS’s  notion  of  equivalence  is  easier  to  compute  and  somewhat 
more  general,  and  the  CCS  language  is  simpler,  the  next  section  focuses  on  CCS. 

2.1.1  CCS.  The  set  of  CCS  agents  is  denoted  V.  The  complete  syntax  for  defining  a 
basic  CCS  agent  P  is  summarized  in  Table  1. 

Table  1.  CCS  Syntax  for  Agent  P. 


Symbol 

Name 

Nil 

empty  process 

Q 

constant 

a.P 

prefix 

Pi  +  P2  - \-  Pn 

summation  (choice) 

Pl\P2\---\Pn 

composition 

P\L 

restriction 

P[f] 

relabeling 

The  special  CCS  agent  Nil  is  “deadlocked”  and  performs  no  action;  0  and  Nil  are  used 
synonymously.  The  set  of  actions  an  agent  can  perform  is  its  sort.  Nil's  sort  is  0  (the  null  set). 
The  semantics  of  CCS  agents  (e.g.,  P,Q  eP)  are  defined  by  states  and  action-labeled  transitions 
that  move  between  states.  Such  transitions  are  written  like  P  Q  to  mean  action  a  occurs  on  the 
transition  between  states  P  and  Q.  The  predicate  P  is  true  when  there  exists  some  Q  such  that 
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P  Q,  Let  A  be  the  set  of  input  labels,  and  let  A  be  the  set  of  output  labels.  Overbarred  labels 
like  a  G  w4  are  outputs^.  Input  and  output  actions  are  complementary;  i.e.,  S  =  a.  The  language  of 
agents  C  =  Al^  A  includes  both  inputs  and  outputs^.  The  special  label  r  ^  C  represents  internal 
action  such  that  r  =  r,  and  the  action  set  Act  =  £U  {r}.  Greek  letters  are  used  to  denote  actions; 
e.g.,  a  G  Act. 

Given  these  definitions,  the  nine  named  rules  in  Table  2  define  the  operational  semantics  for 
CCS  over  the  labeled  transition  system  (5,  Act,  — >)  where  5  is  a  set  of  states,  Act  is  the  set  of 
transition  labels,  and  the  transition  relation  — 5  x  Act  x  S.  The  rules  are  precisely  semanticized 
using  mathematical  arguments  of  the  form; 

hypothesis,  „  .  , 

- ; — : —  [condition) 

conclusion 


Table  2.  CCS  Operational  Semantic  Rules. 


The  CCS  expression  X  =  a.b.X  defines  the  CCS  agent  X  that  according  to  rule  Act,  per¬ 
forms  the  following  repeating  action  sequence:  a.b.X  b.X  a.b.X.  Each  period,  in 
X’s  definition  corresponds  to  an  unnamed  state  where  X  waits  for  the  environment  to  supply  the 
next  action  label.  The  constant  rule  Con  supports  referring  to  processes  by  symbols  like  R — even 
recursively  to  define  non-terminating  agents.  The  summation  rules  Sunii  define  nondeterministic 

^In  some  contexts,  trailing  underscores  (e.g.,  a_  also  represent  outputs). 

^The  symbol  =  means  “is  defined  as.” 
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choice;  allowing  processes  to  execute  one  of  several  operations  as  defined  by  the  summands.  The 
communication  rules  Conii  define  the  behavior  of  processes  operating  in  parallel.  Parallel  com¬ 
position  is  denoted  by  the  “|”  operator.  According  to  rules  Coml  and  Com2,  agents  in  parallel 
continue  to  perform  their  individual  actions  without  affecting  each  other.  Rule  Com3  formalizes 
how  two  agents,  one  outputting  and  one  inputting,  cooperate  to  perform  an  internal  action.  Other 
agents  cannot  participate  in  the  cooperation  because  the  result  is  a  r-action.  Since  agents  may 
both  continue  to  perform  their  individual  actions  and  also  cooperate  two-at-a-time,  CCS’s  parallel 
composition  is  not  synchronous.  A  synchronous  calculus  requires  that  all  agents  able  to  cooperate 
in  an  action  do  so  and  it  does  not  allow  any  agent  to  continue  to  perform  common  or  cooperative 
actions  individually.  The  restriction  rule  Res  deletes  actions  specified  in  set  L  C  C.  When  used 
in  conjunction  with  Com3,  Res  eliminates  the  individual  actions  of  the  composed  agents,  but  not 
their  cooperative  r-action.  For  example,  the  two  agents  P  =  a.P'  and  Q  =  a,Q*  composed  in  paral¬ 
lel  with  a  restricted  by  {P  \Q)\ {a}  results  in  the  transition  {P  \Q)\ {a}  (P'  |  Q') \ {a}  but  no 

or  actions  exist  for  the  restricted  composition.  Finally,  rule  Rel  relabels  process  actions. 
The  relabeling  function  (/)  is  defined  by  supplying  tuples  (new/old)  specifying  the  old  label  and 
the  new  label.  For  example,  the  process  X  =  a.b.X[{tic/a)^  (toc/b)]  performs  the  repeating  action 
sequence  a.6.X[(tic/a),  {toc/b)]  b,X[{tic/a),  (toc/b)]  a.b,X[{tic/a)^  (toc/b)] . . . 

The  behavior  of  asynchronous  hardware  systems  is  defined  and  reasoned  about  by  associating 
the  voltage  changes  on  wires  with  instantaneous  binary  events.  A  voltage  change  from  the  false 
voltage  value  to  the  true  voltage  value  is  represented  by  an  instantaneous  transition  from  0  to  1  and 
vice-versa  for  true  to  false  voltage  level  changes.  Transitions  between  states  are  labeled  with  the 
name  of  the  wire  that  voltage  changes  occur  on  to  define  the  events.  For  example,  the  CCS  agent 
Inv  =  aJbJnv  defines  the  behavior  of  a  logical  inverter  with  input  a  and  output  6.  It  also  defines  the 
behavior  of  a  buffer,  since  outputs  can  be  either  0  or  1  in  any  state.  Every  b  transition  toggles  the 
output  from  1  to  0  or  from  0  to  1.  Input  and  output  values  can  be  associated  with  states  by  naming 
the  states  of  the  inverter  with  input  and  output  values;  e.g.,  the  CCS  agents  InvOl  =  a.b.InvlO 
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and  InvlO  =  aIJnvOl  associate  state  names  with  values.  The  next  section  reveals  that  the  states 
InvOl  and  InvlO  are  both  equivalent  to  state  Inv  and  more  efficiently  represented  and  reasoned 
about  in  CCS  as  the  single  state  Inv, 

2,1.2  CCS  Bisimulations.  Milner  formalizes  two  basic  notions  of  equivalence  between  CCS 
agents.  He  calls  these  equivalences  strong  bisimulation  and  weak  bisimulation.  Bisimulation 
can  be  understood  as  requiring  bi-directional  simulation  between  agents;  i.e.,  whatever  actions  one 
agent  can  do,  the  other  can  do,  and  vice-versa.  Strong  bisimulation  demands  that  even  the  internal 
actions  (r-actions)  of  each  agent  be  matched  exactly;  weak  bisimulation  relaxes  this  requirement. 

Definition  1,  CCS  strong  bisimulation.  A  binary  relation  TICV  xV  is  a  strong  bisimulation 
iff  (P,  Q)  ell  implies  for  all  a  G  Act, 

1.  V  P'[F  P'  3  g'[Q  Q'  A  (P',  Q')  G  n]] 

2.  V  Q'[Q  Q'  =>  3  P'[P  P'  A  <P',  Q'>  G  U]] 

Definition  2.  Strongly  bisimilar  CCS  agents:  P  Q,  CCS  agents  P  and  Q  are  strongly 
bisimilar  iff  there  exists  a  strong  bisimulation  TZ  such  that  (P,  Q)  G  Tl.  Writing  P  Q  denotes 
that  P  is  strongly  bisimilar  to  Q. 

The  largest  strong  bisimulation  is 

rsj  rr  u  {Tl  I  72.  is  a  strong  bisimulation} 

Tl&iP(VxV) 

It  contains  all  smaller  strong  bisimulations  and  specifies  exactly  which  strong  bisimulation  must 
contain  (P,  Q).  Milner  proves  that  ~  is  an  equivalence  relation  (Mil89:91). 

The  state  relation  {{Invl0,lnv0'\.),{lnv01,lnvl0),(b.lnv01,b.lnvl0),(b.lnvl0,b.lnv01)}  is 
a  strong  bisimulation  relation  between  the  states  of  the  CCS  inverter  defined  above.  Given  agent 
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Inv  =  a.b.Inv,  the  relation  {{Inv,  InvOl),  {Inv,  /nulO),  {b.Inv,  b.InvOl),  {b.Inv,  6./m;10)}  is  also  a 
strong  bisimulation,  so  the  Inv  definition  can  be  substituted  for  both  InvlO  and  JnuOl  definitions. 

To  define  weak  bisimulation,  two  abstractions  must  first  be  defined.  The  first  abstraction  is 
the  transitive  reflexive  r-closure:  P{-^)*P'  meaning  zero  or  more  r-actions  occur  between  P  and 
P'.  When  there  are  no  r-actions,  P  =  P'.  The  transitive  reflexive  r-closure  leads  to  a  r-closure 
over  specified  actions,  which  is  a  superset  of  the  — >  transition  relation.  The  transitive  closure 
relation  is  denoted  by  the  double-barred  arrow,  =^. 

Definition  3.  CCS  r-closure:  P  P'. 


V  ae  Act  P 


P'  =  P(- 


Writing  P  P'  denotes  when  there  is  a  transition  from  P  to  P'  by  action  a  in  the  r-closure. 

Note  that  P  P'  means  at  least  one  r  occurs  between  P  and  P',  Writing  P  means  there 
exists  some  P'  such  that  P  P'. 


The  second  abstraction  provides  a  way  to  match  r-actions  with  zero  or  more  r-actions  and 
visible  actions  by  r-closure.  The  abstraction  is  called  r-abstraction.  Hatted  action  symbols  (e.g., 
a)  denote  r-abstraction;  r-abstraction  is  used  in  conjunction  with  r-closure  to  allow  structural 
differences  between  CCS  agents. 

Definition  4.  CCS  r-abstraction:  P  P'. 


^  ae  Act  P^P't 


P(-^)*P'  (a  =  r) 
P  P'  (a  r) 


CCS  r-abstraction  is  used  on  the  consequent  side  of  bisimulation-style  relation  formulas  to  specify 
that  r-actions  in  the  antecedent  can  be  matched  by  zero  or  more  r-actions  in  the  consequent.  In  the 
case  that  they  are  matched  by  zero  r-actions,  the  agent  on  the  consequent  side  does  not  perform 
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any  action  and  stays  in  the  same  state.  This  abstraction  allows  systems  being  compared  to  have 
zero  or  more  structural  differences  between  them  and  still  be  considered  “equivalent.” 

Both  Milner  and  Stevens  define  r-closure  and  r-abstraction  over  elements  from  the  set  of 
all  sequences  of  actions  from  Act  (this  set  is  denoted  Act*),  but  for  this  chapter,  the  above  def¬ 
initions  suffice.  Stevens  uses  sequences  from  Act*  to  formally  define  trace  equivalence  and  trace 
conformance,  his  work  is  a  practical  discussion  of  the  differences  between  labeled  transition  systems 
distinguished  by  the  different  relations  (Ste94:pp. 111-136). 

The  r-closure  and  r-abstraction  definitions  are  the  basis  for  defining  the  weak  bisimulation 
relation  for  CCS  agents.  Weak  bisimulation  allows  agents  to  have  diflFerent  structure  but  still  be 
considered  equivalent  based  on  the  actions  that  they  can  perform. 

Definition  5.  CCS  weak  bisimulation.  A  binary  relation  TICV  xV  is  a  weak  bisimulation  iff 
(P,  Q)  eTZ  implies  for  all  a  G  Act, 

1.  V  P'[P  P'  3  Q'[Q  =4  Q'  A  (P',  Q')  G  7^]] 

2,  V  Q'[Q  Q'  3  P'[P  =4  P'  A  (P',  Q')  G  7^]] 

Definition  6.  Weakly  bisimilar  CCS  agents:  P  «  Q.  CCS  agents  P  and  Q  are  weakly 
bisimilar  iff  there  exists  a  weak  bisimulation  TZ  such  that  (P,  Q)  G  72..  Writing  P  «  Q  denotes 
When  P  is  weakly  bisimilar  to  Q. 

The  largest  weak  bisimulation  is 


«  =  {72. 1  72.  is  a  weak  bisimulation} 

nelP(Vxv) 

It  contains  all  smaller  weak  bisimulations  and  specifies  exactly  which  weak  bisimulation  must 
contain  {P,Q)^  Milner  shows  that  «  is  an  equivalence  relation  (Mil89:110). 
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CCS  bisimulation  is  a  congruence  relation;  i.e.,  preserved  in  all  algebraic  contexts.  Milner 
proves  this  (Mil89:98)  by  showing 


(1)  a.Pi  ~  a.Pi 


^*1  ~  ^2  ^  < 


(2)  Pi  +  Q  ~  Pa  +  <3 

(3) Pi|Q~P2|Q 

(4) Pi\L~P2\L 

(5)  Pi[/]  ~  P2[/] 


Weak  bisimulation  is  not  a  congruence  because  summation  does  not  preserve  the  weak  bisim¬ 
ulation  relation;  e.g.,  6.0  «  t.6.0  but  a.0+6.0  56  a.O-l-r.6.0.  However,  for  the  set  of  CCS  agents  with 
guarded  actions— i.e.,  those  where  every  r  action  is  preceded  by  a  visible  action— weak  bisimulation 
is  also  a  congruence. 


2.1.3  Logic  Conformance.  In  an  effort  to  further  loosen  the  relationship  between  CCS 
agents  and  safely  give  designers  more  freedom,  Stevens  defines  a  bisimulation-style  partial  order 
relationship  called  Logic  conformance  (Ste94).  Unlike  Milner’s  strong  and  weak  bisimulation.  Logic 
Conformance  is  not  symmetric,  so  the  implementation  agent  (/)  must  be  distinguished  from  the 
specification  agent  (5).  Usually  implementations  are  less  abstract  models  than  specifications.  Ul¬ 
timately,  at  the  lowest  level  of  abstraction,  implementations  are  models  of  the  design  primitives 
from  which  systems  are  constructed.  In  the  case  of  electronic  circuits,  design  primitives  are  models 
of  logic  gates  that  abstract  the  voltage  levels  of  the  underlying  transistor  circuits  to  either  true  (1) 
or  false  (0)  and  the  changes  in  value  from  true  to  false  or  false  to  true  occur  instantaneously. 

Definition  7.  Logic  Conformance.  A  binary  relation  H  C  V  x  V  is  a  logic  conformance  iff 
(7,5)  6  TZ  implies  for  all  a  e  Act,^  {r),')  £  A, 

1.  V  5'[5  S' /'[/  =!>  7'  A  (7',5'>  e  n]] 
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2. \j  S'[S  =4  5'  A  (/',  S')  e  TZ]] 

3.  V  /'[(/  /'  A  5  4)  =>  3  S'[S  =^S'A  e  n 

Definition  8.  Logically  Conformant  CCS  agents:  /  ti  S.  CCS  agents  I  and  S  are  logically 
conformant  iff  there  exists  a  logic  conformance  TZ  such  that  {I,  S)  €  TZ.  Writing  P  t.i  Q  denotes 
when  P  is  logically  conformant  to  Q. 

The  largest  logic  conformance  is 

hi  =  {7^  I  72-  is  a  logic  conformance} 

nePcpxv) 

It  contains  all  smaller  logic  conformances  and  specifies  exactly  which  logic  conformance  must  contain 
{/,  iS).  Stevens  proves  that  is  a  partial  order  (Ste94:143).  Weak  bisimulation  is  the  equivalence 
relation  that  exists  whenever  logic  conformance  holds  in  both  directions;  i.e.,  I  ti  S  AS  ti  ^ 
/«5. 

The  difference  between  weak  bisimulation  and  logic  conformance  is  the  extra  conjunct  in  the 
implication  antecedent  of  Definition  7  property  3.  When  5  is  false,  it  does  not  matter  that 
I  has  a  to-state  /'  reachable  by  7  (such  to-states  are  called  7  derivatives).  This  means  that  I 
may  accept  inputs  that  S  does  not.  If  these  unmatched  inputs  are  in  the  specification’s  language, 
then  the  implementation  accepts  them  more  often  than  the  specification  does.  In  case  they  are 
not  in  the  specification’s  language,  then  they  are  truly  irrelevant  and  cannot  be  required  of  any 
implementation  that  replaces  5.  In  either  case,  the  specification  defines  the  inputs  that  must  be 
accepted  and  the  behavior  that  follows  them.  Therefore,  in  all  contexts  where  the  specification 
accurately  represents  the  desired  behavior,  logic  conformant  implementations  behave  “the  same 
as  the  specification.  This  freedom  allows  detailed  implementations  that  accurately  model  the 
behaviors  of  design  primitives  to  be  considered  satisfactory  implementations  of  much  less  complex 
specifications  even  though  there  are  vast  differences  in  their  state  spaces.  Logic  conformance 
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provides  more  freedom  of  implementation  because  implementation  behavior  in  unreachable  states 
under  the  specification’s  input  constraints  is  completely  unrestricted  (Ste94:p.l20). 

Logic  conformance  does  give  designers  more  freedom  of  implementation,  but  it  does  not  neces¬ 
sarily  preserve  all  modal  logic  or  modal  //-calculus  properties  as  bisimulation  and  weak  bisimulation 
do.  For  example,  given  I  =  a.6_./H-c.d_.0  and  S  =  a.6„.5,  /  S',  /  f=  {c)(d^)T  but  S  does  not.  The 

symbol  “|=”  is  read  “models”  and  means  “satisfies  property.”  Conversely,  5  |=  (a)rA[~“a]F  (5  can 
do  an  a  action  and  no  other)  but  I  ^  {a)r  A  [-a]F.  In  fact,  I  has  a  deadlock  (/  0),  and  S 

does  not  deadlock.  Giving  the  designer  this  much  freedom  of  implementation  theoretically  requires 
confirming  that  specification  properties  specified  by  modal  logic  or  modal  //-calculus  formulae  must 
be  model  checked  in  addition  to  checking  the  Logic  Conformance  relation.  Prom  a  practical  point 
of  view  if  S  completely  defines  Ps  input  environment  then  conditions  like  Ps  deadlock  or  output 
can  never  be  reached  and  model  checking  is  not  required. 

2,2  Timed  Models  and  Relationships 

Untimed  process  algebras  do  not  provide  any  power  to  specify  and  reason  about  the  timing  of 
different  events.  That  leads  us  to  examine  how  timing  of  actions  might  be  specified  and  reasoned 
about  like  CCS  agents.  There  are  many  different  formalisms,  each  with  different  syntax,  and 
some  more  expressive  than  others  (ACD90,  CH92,  CL96b,  Cer92,  CGL93,  Cer95,  CLK94,  Dan92, 
FH92,  GF90,  GV95,  GSSAL94,  Hal92,  HJ95,  HB94,  JM86,  JU93,  Kan95,  Koy92,  Kri92,  Lad86, 
LY93,  LLPY97,  LBGG94,  MM91,  MRM94,  Mol91,  Wan90).  For  each  formalism  slightly  different 
formal  relationships  have  been  defined.  Three  representative  formalisms  are  examined:  first,  a 
simple  timed-process-algebra  extension  of  CCS  called  Timed  CCS;  second,  a  more  expressive  timed- 
process-algebra-based  formalism  for  the  Calculus  of  timed  refinement  (CTR)  relation;  third,  a  very 
expressive  Mealy-machine  formalism  called  a  timed  process. 
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2,2.1  TCCS.  Wang’s  Timed  CCS  (TCCS)  extends  Milner’s  CCS  with  arbitrary  integral 
or  real- valued  delays  (Wan90).  Wang  writes  P  ^  Q  to  mean  that  after  t  units  of  time,  P 
becomes  Q,  where  e  stands  for  idling.  Note  that  P  ^  P.  TCCS  actions  other  than  idling  are 
instantaneous;  i.e.,  no  time  passes  as  an  action  occurs  unless  the  action  is  an  idling  action  (e-action). 
TCCS  enjoys  the  same  simple  syntax  of  CCS,  but  it  does  not  readily  support  specifying  temporal 
relationships  between  actions  that  are  separated  by  other  observable  actions.  Wang  defines  notions 
of  strong  and  weak  timed  bisimulation  equivalence  between  TCCS  agents.  Definitions  for  Wang’s 
relations  are  not  included  here  because  they  are  the  same  as  Milner’s  with  the  extension  of  a 
ranging  over  both  Act  and  e-actions.  Both  strongly  and  weakly  bisimilar  TCCS  agents  satisfy  all 
timed  modal  logic  formulas  that  are  true  of  each  other  (HLY91,  LY93).  Of  course,  this  means  that 
no  temporal  differences  between  observable  events  can  be  distinguished  between  strong  or  weakly- 
bisimilar  TCCS  agents  as  long  as  time  passes  continuously  around  r’s  (i.e.,  P  (-^)*  Q  => 

There  are  four  special  properties  of  TCCS  agents.  By  definition,  r-actions  occur  as  soon  as 
they  are  enabled,  resulting  in  a  msiximal  progress  assumption,  i.e.,  no  TCCS  agent  P  will  wait 
unnecessarily  to  r: 

3QMP-^Q=^^t>o[P^]] 

Maximal  progress  further  distinguishes  observable  actions  a.P  from  internal  actions  r.P  because 
T.P  has  only  one  r-transition,  and  a.P  has  a  chain  of  e(i)-transitions  because  a.P  is  willing  to  wait 
for  any  t  units  of  time  for  the  environment  to  offer  an  a.  The  maximal  progress  assumption  turns 
all  cooperative  a  and  a  action  pairs  into  instantaneous  r-actions  even  though  the  a-  and  a-capable 
agents  may  individually  be  able  to  wait  for  arbitrary  amounts  of  time  before  acting  outside  of  the 
parallel  composition  combining  them. 
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Second,  TCCS  agents  are  determinant;  i.e.,  idling  leads  to  syntactically  identical  states: 


P^PiAP^P2=^P1  =  P2 


Third,  TCCS  agents  are  continuous;  i.e.,  TCCS  agents  must  pass  through  all  intermediate 
time  values: 

P  Pj[P  Pj  A  Pi  P2] 

Fourth,  TCCS  agents  are  persistent;  i.e.,  no  agent  looses  its  ability  to  perform  an  action  it 
was  able  to  perform  originally: 

p  p,  A  P  ^  P2  =>  3  P/ [Pi  Pi'] 

Persistence  makes  it  impossible  to  specify  an  upper  timing  bound  in  TCCS  without  introducing 
a  r-transition  that  forces  the  agent  into  another  state  in  accordance  with  maximal  progress.  For 
example,  the  agent  50  =  e(2).a  +  e(3).&.50  +  e{30).T.Nil  can  after  t  e  [2,30)  time  units  do  a,  and 
after  t  €  [3,30)  time  units  do  6,  and  repeat  forever.  However,  if  t  =  30  time  units  pass  without  a 
or  6,  then  50  is  deadlocked. 

The  semantics  of  TCCS  depend  greatly  on  treating  r  and  visible  actions  significantly  dif¬ 
ferently,  but  there  is  little  intuition  behind  the  semantic  leap  from  P  P'  A  Q  Q'  to 
P  I  Q  P'  I  Q'.  Individually,  P  and  Q  can  wait  forever  to  perform  a  and  a,  but  P  |  Q  must 
immediately  perform  r  in  accordance  with  maximal  progress  (Wan90), 

Recall  that  specifying  time  relationships  between  two  actions  that  have  a  third  action  between 
them  is  not  directly  possible  without  resorting  to  describing  the  relationships  via  multiple  parallel 
agents.  For  example,  assume  a  and  7  never  occur  closer  than  3  time  units  from  each  other,  but 
that  P  can  occur  at  any  time.  Some  possibilities  for  specifying  this  situation  are  P.a.€(3).7.j9.Q  -f- 
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P.a.€(3)./9.7.<3  +  P./3.Q:.€(3).7.<5,  and  even  P.a.e(1.75)./9.e(1.25).7.Q,  but  no  one  can  finitely  specify 
all  the  possible  ways  to  split  up  the  real-valued  3  in  this  fashion. 

TCCS  does  preserve  timed  modal  logic  and  //-calculus  properties,  but  the  semantic  gap  be¬ 
tween  visible  and  r-transitions,  its  limited  provision  for  specifying  upper  time  bounds,  and  its 
constraints  on  specifying  timing  relationships  between  non-sequential  actions  tend  to  stifle  its  prac¬ 
tical  application  and  lead  us  in  search  of  a  higher  fidelity  and  more  expressive  formalism — like  the 
one  discussed  in  the  next  section. 

2.2.2  Calculus  of  Timed  Refinement  (CTR).  TCCS  relaxes  the  equivalence  relation  such 
that  the  internal  structure  of  the  systems  may  be  quite  different  for  weak-timed-bisimilar  agents, 
but  it  does  not  allow  the  timing  of  the  visible  actions  of  those  systems  to  vary.  Timed-bisimulation 
equivalence  is  too  strong  a  relation  for  deciding  whether  or  not  one  agent  can  be  substituted  for 
another,  and  most  agree  that  even  weak-timed-bisimulation  overly  restricts  the  freedom  of  designers. 

This  notable  attempt  to  give  designers  more  expressiveness  and  freedom  of  implementation 
focuses  on  the  implementation  half  of  the  bisimulation  relation.  Cerans’  Calculus  of  Timed  Refine¬ 
ment  (CTR)  relaxes  the  timing  relationship  between  CCS-like  agents  such  that  the  implementation’s 
timing  is  more  precise  than  the  specification’s  (i.e.,  the  timing  of  implementation  actions  may  be 
a  subset  of  those  allowed  for  specification  actions)  (Cer95),  and  CTR  provides  a  way  to  express 
minimum  and  maximum  time  passing  using  time  intervals. 

2.2.2.1  CTR  Agents.  The  set  of  all  CTR  agents  is  denoted  £.  For  CTR  agents 
E,F,G  £  £,a  £  Act  the  syntax  used  to  define  agent  E  is  defined  by  the  grammar: 

nil  \  F  \  [c,e].F  \  a.F  \  F  +  G  \  F||G  |  F\L  \  F[f] 

The  expression  [c,  e].F  adds  the  timing  delay  before  F  for  c  €  R+  =  (0,  oo),  e  e  R+  Uoo,  c  <  e.  The 
expression  e{d).E  is  another  notation  for  \d,d\.E.  Time  progresses  by  e(d)  units  when  [c,e].E  ^ 
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[b,  e  —  dl-E,  e  >  d,  and  b  =  mox{0,  c  —  d).  CTR  introduces  another  special  internal  action  i  ^  Act 
where  Acf^  =  Act  U  {*}  and  a'*’  €  Acf^  ranges  over  Acf^ .  The  special  internal  action  i  denotes 
when  an  agent  exits  the  delay  prefix  sometime  after  the  lower  timing  bound  has  been  reached,  but 
before  the  upper  timing  bound  expires;  i.e.,  [0,e].£J  E.  Once  the  upper  bound  of  the  delay 
prefix  expires,  the  delay  prefix  can  be  exited  without  i  occurring;  i.e.,  [0,0].E  E'. 

Unfortunately,  CTR’s  operational  rules  defining  the  semantics  of  the  expressions  are  consid¬ 
erably  more  complex  than  CCS  and  TCCS,  requiring  21  different  rules.  Table  3  denotes  the  12 
rules  CTR  adds  to  CCS’s  9  rules  already  defined  in  Table  2.  CCS’s  Con,  Coml,  Com2,  Res,  and 
Rel  rules  are  extended  over  a+  G  Act+,  and  a  6  Act  applies  to  the  rules  in  Table  3  for  agents 
E,Fe£. 


Table  3.  CTR  Operational  Semantic  Rules. 


e-Ue' 

f-Uf' 

e^e'af^f' 

E+F-L^E'+F 

E-\-F-^E-\-F' 

E^F^E'-hF' 

(Sorted, E)r,SorKd,F)-0) 

E^E’ 

E^E' 

E^E' 

Et^E' 

E\L^E'\L 

E[f]L^ME'[f] 

[0,e].E-^E 

[o,o].b-4b' 

[c  c] 

.Ml  (e  >  dA6  — maa:{0,c  — d}) 

[c,e].E'-^[b,e-d\E  1  > 

CTR  incorporates  Wang’s  notion  of  maximal  progress,  so  no  further  delay  is  possible  when  a 
r-transition  is  enabled  (Cer95:p519).  CTR  abstracts  structural  (r)  and  time-passing  (i)  differences 


between  transition  relations  by  letting  -4f=  (-4)*  and  E  -4i  E'  denote  E  -4i 
letting  also  -4^=  (-4)*  and  -4,.  denote  -4r-4— ^  ""  — "  —  ‘  ^ 


4i  E',  and 
r,  as  well  as  -4<,r=-4i,r=  (-4  U  -4)* 


and 


a  ^  At 


CTR  defines  matching  delay  transitions  from  delay  prefixes  (d  G  E+)  to  a  CTR  agent  E  e£ 
by  functions  /+ :  [0,  d]  -4  f  such  that: 


•  /-(O)  =  E 
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•  And 


-  Vd'6[0,cq[/_(d')  -^i,rMd')] 

—  3  do,di,.  ..,dk  €  [0,  d][do  =  0  A  d*  =  d  A  V  0  <  i  <  fc[di+i  >  df]]  and 

*  Vd'€[0,d]\{do,di,...,d4[/_(d')  =  /+(d')] 

*w  0<j<k,d’e  (d,-,d,+i][/+(d,)  /_(d')] 

Under  these  conditions  the  pair  of  functions  /  =  {/_,/+)  is  an  (£,  d)-trace.  The  set  of  (£;,  d)-traces 
is  denoted  by  E  -^i,T,  and  E  E  E  are  the  sets  of  (E,d)-traces  not  involving 

any  internal  transitions  and  not  involving  -4  respectively. 

For  two  CTR  agents  /  and  5,  /  6  /  ^i,r  and  p  6  5  and  the  relation  71  C  f  x  f  the 
predicate  (/,  g)  6  E}  is  true  if 

V  d'  e  [0,d][(/+(d'),5^(d'))  e  7^  A  {/_(d'),flL.(d'))  e  7^] 

The  predicate  {f,g)  G  TV  is  used  to  require  that  S  be  able  to  match  /’s  observable  behavior 
continuously  while  I  passes  time  d. 

T°° 

The  predicate  E  — denotes  an  infinite  chain  of  -4,  transitions  starting  at  E:  E 
E,  -^iE2 

2.2, 2. 2  CTR  Relations. 

Definition  9.  CTR  Refinement  Relation.  A  relation  ncSxS  is  a  CTR  refinement  relation 

iff 

(1) 
(2) 


v/7es[ 

i-^r  s^i^rS'Ai'ns'A 

s-^s'  I^rl'Al'nS'A 
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/6/^  9eS'-^i,rA{f,g)e'R}A 


(3) 


I^i  =>  S^i]  (4) 

Note  that  CTR  asymmetrically  specifies  the  requirements  for  action  matching  between  spec¬ 
ification  5  and  implementation  I.  Formula  1  requires  that  all  I  internal  actions  exiting  delay 
prefixes  be  matched  by  the  specification  S,  but  not  conversely  in  Formula  2.  In  the  same  formu¬ 
las,  the  specification  is  given  more  flexibility  for  matching  the  implementation,  closing  its  relation 
over  i  as  well  as  t.  Further,  only  implementation  delays  actions  e(d)  need  be  matched  according 
to  Formula  3.  There  is  nothing  requiring  the  implementation  to  match  specification  delays  ac¬ 
tions.  Formula  4  ensures  that  internal  divergence  by  the  implementation  is  also  possible  by  the 
specification. 

Definition  10.  CTR,  Refinement:  7  <  S.  CTR  agent  I  refines  CTR  agent  S  iff  there  exists  a 
CTR  refinement  relation  “R.  such  that  {I,  S)  E  R..  Writing  I  <  S  denotes  when  I  refines  S. 

2. 2. 2.3  CTR  Summary.  CTR  preserves  timed  modal-logic  and  //-calculus  prop¬ 
erties.  In  fact,  it  implies  TCCS  weak-timed  bisimulation  when  limited  to  the  subset  of  timing 
relationships  expressed  by  TCCS  agents  (Cer95:p.525). 

Ultimately  for  all  its  complexity,  CTR’s  only  real  benefit  over  TCCS  is  the  fact  that  CTR  re¬ 
laxes  the  time  relationship  between  actions  of  the  two  systems.  In  CTR,  the  agent  I  ::=  a.[l,  3].6..J 
refines  S  ::=  a.[0,4].6..S  but  they  are  not  TCCS  weakly  bisimilar  because  S  can  do  b.  immediately 
after  a,  but  I  cannot. 

CTR’s  delay  prefixes  are  a  clean  way  to  specify  upper  time  bounds  that  cannot  easily  be 
specified  with  TCCS  agents.  CTR  is  still  limited  to  specifying  timing  relationships  between  se¬ 
quential  actions  (e.g.,  separating  occurrences  of  a  in  the  TSA  from  Figure  1  by  two  or  more  time 
units  is  not  possible  in  CTR).  Also,  since  CTR  maintains  TCCS’s  maximal  progress  property,  CTR 
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does  not  close  the  semantic  gap  between  visible  and  r-transitions.  CTR  refines  the  timing  of  both 
input  and  output  actions  such  that  they  are  both  ‘‘more-precise”  in  the  implementation  than  the 
specification.  A  refinement  relation  that  allows  an  implementation  not  to  accept  every  input  that 
the  specification  does  is  not  very  useful.  For  these  reasons,  and  because  of  the  computational  com¬ 
plexity  of  algorithms  to  implement  it,  CTR  is  not  used  extensively  to  specify,  design,  and  reason 
about  real  designs. 

2.2.3  Timed  Simulation  and  Assumes-Guarantees  Reasoning.  The  second  notable  at¬ 
tempt  to  give  designers  more  freedom  of  implementation  also  focuses  on  the  implementation  half  of 
the  bisimulation  relation  (TAKB96).  These  Bell  Labs  and  Berkeley  researchers  have  implemented 
a  system  (timed  COSPAN)  for  checking  timed  simulation  relations  and  for  doing  hierarchical  and 
compositional  verification  with  assumes-guarantee  style  proof  rules.  The  primary  difference  between 
their  modeling  formalism  and  CTR  is  the  computational  model. 

2.2.3. 1  Timed  Processes.  The  computational  model  of  the  COSPAN  formalism  is  a 
Moore  machine  called  a  timed  process,  not  a  CCS,  TCCS,  or  CTR  agent.  Timed  processes  are 
more  complicated  than  TCCS  or  CTR  agents,  but  they  provide  the  capability  to  temporally  relate 
actions  that  do  not  occur  sequentially  by  declaring  and  resetting  clock  variables  on  transitions  and 
using  those  clock  variables  in  predicates  that  determine  when  actions  may  occur.  The  timed  process 
definition  follows. 

Let  A  be  a  finite  set  of  real-valued  clock  variables.  An  X-valuation  #  assigns  a  nonnegative 
real  value  $(x)  to  each  variable  x  E  X.  Let  $  be  an  X-valuation,  and  for  each  real- valued  <5  >  0, 
$  -h  J  denotes  the  X-valuation  assigning  $(x)  +  J  to  each  variable  x,  and  0  denotes  the  X- valuation 
assigning  0  to  every  x  G  X.  For  F  C  X,  #[F  :=  0]  denotes  the  X-valuation  assigning  0  to  every 
y  E  Y  and  $(x)  to  x  F  (a  projection).  An  X-predicate  is  a  positive  Boolean  combination 
of  constraints  of  the  form  x  o  fc  for  fc  an  nonnegative  integer  constant,  x  G  X  a  variable,  and 
o  ^  {<5  >5  =}*  Writing  $  [=  <^  denotes  that  $  satisfies  the  X-predicate  ip. 
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For  P  a  finite  set  of  variables,  each  ranging  over  a  finite  domain,  a  P-valuation  /  is  an 
assignment  of  values  to  variables  in  P.  For  / and  Q  C  P,  /(Q)  denotes  the  Q- valuation  restricting 
/  to  the  variables  in  Q.  A  P-event  is  a  pair  (/,/')  denoting  the  old  (/)  and  new  (/')  values  of 
variables  in  P.  A  P-predicate  x  is  a  subset  of  P-events.  For  example  the  P-predicate  ^  pis 
the  set  of  all  P-events  {/,/')  such  that  Vp  e  P[/'(p)  ^  f{p)]-  To  ensure  all  variable  assignments 
stay  the  same,  the  predicate  Stutter{P)  is  defined  as: 

Stutter{P)  =  /\p*  —P 
peP 

Definition  11.  Timed  Process.  Let  TV  he  the  set  of  all  timed  processes.  A  timed  process 
A  €  TV  is  an  eight-tuple  (5, 5o,  X,  O,/,  a,/i,P)  such  that 

•  S  is  a  finite  non-empty  set  of  locations. 

•  So  is  the  non-empty  set  of  initial  locations. 

•  X  is  the  finite  set  of  real-valued  clock  variables. 

•  O  and  I  are  finite  sets  of  output  and  input  variables,  each  ranging  over  a  finite  type,  I DO  =  0. 

•  a  is  the  invariant  function  assigning  the  X -predicate  a(s)  to  each  location  s  E  S. 

•  (X  is  the  output  function  assigning  p{s)  to  each  location  s  £  S. 

•  E  is  the  finite  set  of  edges.  Each  edge  e  £  E  is  a  5-tuple  (s,  f ,  <p,  X)  5^)  source  and 
destination  locations  s  and  t,  clock  predicate  (p,  input  predicate  x,  nnd  the  set  of  clocks  Y  CX 
to  be  reset.  Two  modeling  constraints  are: 

1.  "i  s  £  5[(s,  5,  true,  stutter (J),0)  £  E] 

2.  For  every  pair  of  locations  there  is  at  most  one  edge  between  them. 

A  state  cr  of  A  is  a  pair  (s,$)  containing  the  location  s  and  the  X-valuation  $  £  a(s),  and 
the  set  of  states  is  A  state  (s,  $)  is  initial  if  s  G  5o  and  V  x  £  X[^{x)  =  0]. 
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Given  state  a  =  {s,  §)  of  A,  and  positive  time  increment  S,  A  can  wait  for  6  in  state  a,  written 
wait{a,  (5),  iff  V  0  <  J'  <  (5[($  +  6')  \=  a(s)].  A  timed  event  7  of  A  is  a  tuple  {5,  f,  /')  consisting 
of  a  positive  real- valued  increment  S  and  the  observation  event  (/,/').  Such  an  event  means  that 
A  can  wait  for  6  time  and  then  update  its  output  from  f{0)  to  f'{0)  while  the  environment  is 
updating  the  input  variables  from  /(/)  to  The  set  of  all  A  timed  events  is  denoted 

The  timed  process  A  gives  a  labeled  transition  system  over  the  state  space  TIa  with  the  labels 
r^.  For  states  cr  =  {$,  $)  and  r  =  {t,  0)  in  I, a,  and  a  timed  event  7  =  {S,  f,  /')  in  F^i,  the  transition 
O'  — ^  T  is  defined  iff  f(0)  =  f'{0)  =  wait{a,6),  and  there  exists  and  edge  {s,t,<p,x,Y) 

such  that  ($  +  ^)  ^  (p,  (/,  /')  1=  X,  and  ©  =  ($  -I-  (J)[y  ;=  0].  Writing  a  denotes  that  a  t 
for  some  r. 

Timed  Processes  are  closed  under  stuttering;  i.e.,  let  7  =  {S,f,f'),  then: 


T  =>  V  0  <  y  <  (S[3 


(<5',/,/)  A  7"  =  (5- <5', /./')]] 


Figure  2  is  an  example  timed  process  defining  the  behavior  of  an  inertial  buffer  with  input 
i,  output  o,  and  delay  in  [MinD,  MaxD].  The  stutter-closing  self  loops  are  omitted  in  the  figure. 
Every  process  spends  non-zero  time  in  each  location,  and  all  transitions  are  instantaneous.  Initial 
locations  are  denoted  by  ►. 


Figure  2.  Inertial  Buffer  Timed  Process. 
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The  following  definition  specifies  how  to  model  more  complex  systems  by  parallel  composing 
simpler  timed  process  models  together.  Here,  “\”  denotes  set  subtraction. 

Definition  12.  Timed  Process  Parallel  Composition.  Two  timed  processes: 

A  =  {S^,S^,X^,0^,l'^,a^,n^,E^) 

can  be  parallel  composed  iff0^r\0^  =  0  (they  share  no  common  output).  The  parallel  composition 
P  =  A\\B  is  a  timed  process  P  =  {S^,SQ,0^,I^,a^,fj,^,E^)  such  that 

=  5^x5® 
cP  ^  cA  ^  cB 

Oq  —  Oq  X  Oq 

X^  =  X^UX^ 

=  O^UO^ 

=  (i^ui^)\o^ 

=  Vs6S^,teS^la^((s,t))  =  a^(s)Aa^(t)] 

=  V  seS^,teSV{{s,t))  =  p^is)Up^{t)] 

E^  =  {({a,b),{a',b'),^Aip',x",YUY')  \  {a,a',cp,x,Y)  €  E'^  A{b,b',<p',x'>Y')  €  E^  A 

({/./’>ex"  ^  «/UiU®(a'),/’U|i®(6')>  l=XA(/u^^(a),/u/x^(6))  t=x'))} 

The  set  of  edges  in  the  parallel  composition  consist  of  those  edges  where  the  outputs  of  each 
individual  process  {p^^yP)  satisfy  the  input  predicates  of  the  other  process  (x^x)•  Timed  process 
parallel  composition  is  commutative  and  associative. 
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£.2.3.2  Timed  Process  Relations.  Simulation  relations  between  Timed  Processes 


are  defined  over  timed  event  sequences.  A  timed  event  sequence  7  =  [70  j  7i ,  •  •  •  ?  7k-i]  is  a  finite 
sequence  of  events  7*  =  {Si,fi,fl)  such  that  V  0  <  z  <  A;  -  l[/i+i  =  f^.  For  such  a  timed  event 
sequence,  define  Aq  =  0,  and  Aj  =  for  1  <  z  <  fc.  Each  such  7  uniquely  defines  a  function 

Fy  from  the  closed  interval  [0,  A*]  to  the  observations  given  by  Fy{t)  ==  ^  for  t  G  [Aj,  A^+i)  and 
Fy(A,)  =  /l_i. 

A  run  of  A  on  a  timed  event  sequence  7  is  a  sequence  of  states  [(7o,cri,(72, . . .  ,<7A:],cri  G 
such  that  cTo  (Ti  cr2  (Tk*  The  timed  event  sequence  7  is  called  a  trace  of  A  if 

there  exists  a  run  in  A  on  7  starting  from  an  initial  state  and  terminating  in  a  state  ak  G  The 
timed  language  of  process  A,  denoted  £(A),  is  the  set  of  traces  of  A. 

Consider  Two  timed  processes: 

A  is  comparable  to  B  iff  C  A  C  i.e.,  B’s  outputs  and  inputs  are  subsets  of  A’s. 

If  A  is  comparable  to  then  a  timed  simulation  relation  from  A  to  B  is  a  binary  relation 
^  Syi  X  Sb  among  the  states  of  A  and  B  such  that 

V  (a.r)  e  n,7  €  r^[a  a'  3  r'  e  SbIt  ^  r'  A  {cr'.r')  €  fi]] 

The  timed  simulation  relation  il  is  initialized  ifFV  cr  €  S^[3  r  e  5®[(£t,  r)  €  fl]].  If  A  is  comparable 
to  B  and  an  initialized  timed  simulation  relation  from  A  to  B  exists,  then  A  timed-simulates  B 
written  A  -^s  B. 
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Let  A  be  comparable  to  B,  then  A  is  said  to  timed-implement  B  iff 


V  7^*  €  C{A)[3  7®  €  C{B)[F^^{I^  U  0®)  =  F^b]] 

i.e.,  the  traces  of  the  two  machines  assign  the  same  values  to  B’s  input  and  output  variables  at 
all  times.  Timed  implementation  is  denoted  A  -<1  B,  and  is  also  referred  to  as  the  language 
inclusion  relation.  The  relations  and  are  reflexive  and  transitive.  When  A  :<s  B  and 
B  :<s  A,  then  A  and  B  are  timed  simulation  equivalent,  written  A  .B;  — s  is  an  equivalence 
relation.  Similarly,  =x,  is  the  equivalence  relation  induced  by 

Timed  simulation  is  a  stronger  requirement  than  timed  implementation;  i.e.,  A  -<3  B 
A  <1  B.  The  timed  simulation  relation  can  be  decided  in  an  exponential  algorithm  when  the 
timing  of  the  two  processes  are  represented  by  finite  equivalence  classes,  so  timed  simulation  is  the 
relation  checked  by  the  COSPAN  system  to  decide  when  system  A  can  be  substituted  for  system 
B.  If  A^l  B  then  A  refines  B. 

Timed  process  parallel  composition  preserves  both  and  i.e.,  VX[A  B  A\\X  :<$ 
B\\X]  and  'iX[A  B  ^  AHA"  :<l  B||X].  So  A||B  -<3  P\\Q  if  A  -<3  P  A  B  <3  Q-,  this  allows 
decomposing  large  verifications  into  smaller  pieces. 

2.2. 3.3  Assumes- Guarantees  Verification.  Timed  Simulation  verification  involves 
generating  timed  process  models  of  the  environment  and  composing  them  with  timed  process  models 
of  the  desired  system  and  reasoning  about  their  behavior  together.  Consequently,  the  behavior  of 
the  system  depends  on  the  behavior  of  the  environment  which  depends  on  the  behavior  of  the 
system  in  a  circular  fashion.  To  break  this  circular  chain  of  dependency  an  assumes-guarantees 
proof  methodology  is  adopted.  The  methodology  depends  on  the  fact  that  a  composed  process  is  an 
implementation  of  each  of  its  components  (i.e.,  A\\B  -<3  A).  This  fact  is  used  to  make  assumptions 
about  the  rest  of  the  system’s  behavior  when  trying  to  determine  if  a  component  (the  one  being 
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designed)  satisfies  a  more  abstract  specification  of  its  own  behavior.  Composed  timed  processes 
must  be  nonblocking  for  a  consistent  assumes-guarantees  proof  methodology. 

A  timed  process  A  =  (S,So,X,0,I,a,fi,E)  is  nonblocking  iff 

VaeSA,(^,  /,  f)  e  TaW  W  V  {S,g,  e  r4[ff(C»)  =  f{0)  a  g'{0)  =  fiO)  a 

Intuitively,  this  means  that  nonblocking  processes  should  be  able  to  generate  a  trace  regardless  of 
the  sequence  of  input  events.  In  this  case,  if  after  S  time  passes  A  updates  its  output  from  /(O) 
to  f'{0)  and  at  the  same  time  the  environment  updates  the  inputs  from  g{I)  to  ^{I)  there  must 
be  an  edge  in  E  from  <7  to  a  state  for  {6,g,^ys  input  condition  with  consistent  output.  Hence  the 
updating  of  O  is  independent  from  I,  and  there  must  be  an  edge  to  a  state  allowing  them  to  be 
independent.  Generally,  nonblocking  requires  defining  edges  for  all  possible  input  conditions  from 
all  possible  states  (GSSAL94). 

Definition  13.  Assumes- Guarantees  Rule.  Given  nonblocking  timed  processes  A,B,C,D  € 
TV: 

{{A\\D  :<L  C)  A  (CUB  D))  A\\B  C||I> 

The  assumes-guarantees  rule  says  that  proving  A  is  a  refinement  of  C  assuming  that  the  environment 
behaves  like  D  and  proving  that  B  is  a  refinement  of  D  assuming  that  the  environment  behaves 
like  C  establishes  that  A||B  -<1  C||B.  The  assumes-guarantees  rule  does  not  hold  for  blocking 
processes,  and  it  does  not  hold  if  ^5  replaces  -<1.  The  rule  also  fails  if  time  predicates  defining 
open  sets  are  used;  i.e.,  strict  inequalities  like  A:  <  5  or  A:  >  5  cannot  be  used  in  state  invariants 
q((j)  or  edge  clock  predicates  tp. 

Timed  simulation  verification  methodology  using  the  assumes-guarantee  rule  is  expensive  in 
practice  requiring  one  or  more  processes  to  model  the  environment  and  at  least  2n  verifications  and 
3n  timed  process  models  for  n-process  compositions  (n  >  2).  For  example,  given  the  structure  of 
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the  3-process  system  (including  the  environment  processes)  shown  in  Figure  3,  where  there  axe  two 
timed  process  models  for  each  of  the  three  components,  one  concrete  (e.g.,  Xc)  and  one  abstract 
(e.g.,  Xa),  the  problem  is  to  decide  whether  or  not  the  composition  of  the  concrete  models  refine 
the  abstract  composition.  Three  full-size  verifications  must  be  done. 


Figure  3.  Assumes-Guarantees  Example. 


In  this  case,  to  conclude  Xc\\Yc\\Zc  Xa\\Ya\\Za,  the  verifications  Xc\\Ya\\Za  <1  Xa\\Ya\\Za, 
Aolll^ll^o  A'oliyall'^o)  and  JLo||i^||Zc  AoliyillZo  must  all  be  successful.  In  practice,  the 
combined  state  space  of  both  the  concrete  and  abstract  compositions  is  too  large  and  the  verification 
takes  too  long,  so  a  single  abstract  process  is  developed  to  represent  the  behavior  of  all  of  the 
other  systems  in  the  composition  (i.e.,  the  environment  from  the  perspective  of  any  one  of  the 
abstract  processes  in  the  composition),  and  it  is  used  to  reduce  the  state  space  of  the  verification 
problem.  For  example,  process  models  XY,  YZ,  and  XZ  modeling  the  environments  Xa\\Ya, 
Ya\\Za,  and  Xa\\Za  are  needed,  and  the  verifications  Xc\\YZ  Xa\\YZ,  and  YdlXZ  -<1  Ya\\XZ, 
and  Zc\\XY  are  required.  These  verifications  are  valid  only  if  the  environmental 

abstractions  are  correct,  so  Xa\\Ya,  <1  XY,  y,||Z„  -<1  YZ,  and  Xa\\Za  di  XZ  must  also  be 
verified.  This  requires  total  of  6  verifications  and  9  different  timed  process  models  to  verify  a 
3-element  composition. 

When  any  model  changes,  every  verification  involving  it  must  be  redone.  If  an  abstract 
model  changes  then  at  least  n  verifications  must  be  redone,  but  if  a  concrete  model  changes, 
only  1  verification  need  be  redone.  Unfortunately,  the  most  difficult  models  to  construct  are  the 
abstraction  models,  and  the  assumes-guarantees  methodology  requires  more  abstract  models  than 
concrete  models.  Clearly,  when  models  are  subject  to  change  frequently,  as  they  are  in  most  design 
and  verification  projects,  assumes-guarantees  verification  is  a  significant  effort. 
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Additionally,  the  timed  COSPAN  tool  does  not  calculate  the  simulation  relation;  rather,  the 
user  must  input  a  map  from  location  to  location  and  COSPAN  checks  to  see  if  the  mapping  is  a 
simulation  relation.  Commenting  on  this,  the  COSPAN  users  desire  a  capability  for  automatically 
generating  the  simulation  relation  or  checking  if  there  is  an  initialized  one  without  generating 
it  (TAKB96).  They  also  describe  the  process  of  generating  accurate  abstract  models  as  an  iterative 
process;  hence  the  2n  verifications  were  redone  many  times,  and  each  time  they  had  to  supply  the 
appropriate  simulation  relation. 

2,2,3. 4  Timed  Simulation  and  Assumes- Guarantees  Summary,  The  timed  process 
formalism  is  more  powerful  than  TCCS  agents  and  CTR  processes  because  it  resolves  the  problem  of 
expressing  timing  relationships  between  any  two  actions  by  resetting  clocks  and  referencing  them  in 
clock  predicates.  Timed  process  definitions  are  quite  complicated  because  they  use  state  functions 
to  define  outputs  and  invariants,  and  they  use  sequences  of  events  to  define  process  semantics. 

The  nonblocking  property  required  for  the  assumes-guarantees  rule  also  makes  it  difficult  to 
create  simple  timed  process  models.  In  order  to  be  consistent  in  all  verification  contexts,  the  model 
must  define  behavior  for  all  inputs  for  all  states  for  all  times  to  ensure  that  the  nonblocking  property 
holds.  In  contrast  to  CTR  refinement,  this  means  that  input  behaviors  are  not  refined  at  all;  they 
must  be  continuously  specified.  This  is  like  trying  to  formally  define  and  derive  programs  and 
subprograms  using  preconditions,  postconditions,  and  Dijkstra  calculus,  but  the  only  precondition 
allowed  is  the  weakest  of  all — i.e.,  true  (Dro89). 

Clearly,  to  simplify  the  modeling  burden,  and  to  distribute  the  burden  of  verification  ratio¬ 
nally,  something  besides  weakening  the  input  constraints  in  implementations  (as  in  CTR  refinement) 
or  specifying  all  inputs  in  all  states  for  all  time  (as  in  the  assumes-guarantees  methodology)  must  be 
done.  A  way  to  factor  the  timing  properties  of  the  environment  into  the  verification  process  without 
having  to  build  many  different  models  of  the  environment  from  each  component’s  perspective  must 
be  found. 
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2. 3  Summary 


This  chapter  introduced  and  defined  several  example  formalisms  for  modeling  and  reasoning 
about  the  “equivalent”  behavior  of  concurrent  systems.  Some  formalisms  cannot  express  the  rela¬ 
tionship  between  time  and  behavior  at  all,  while  others  that  can  are  very  complicated  and  hard  to 
define.  Some  equivalence  relationships  between  models  in  those  formalisms  are  strong  and  preserve 
properties,  but  they  do  not  give  the  designers  enough  freedom  to  design  efficiently.  Other  weaker 
relationships  give  designers  structural  and  behavioral  freedom  to  design  and  specify  more  efficient 
implementations,  but  they  do  not  necessarily  preserve  all  possible  properties. 

Untimed  CCS  agents  are  not  expressive  enough  to  capture  the  relationship  between  time  pass¬ 
ing  and  action,  and  the  equivalence  relations  bisimulation  and  weak-bisimulation  between  agents 
are  not  loose  enough  to  give  designers  the  freedom  they  need  to  design  efficiently. 

The  untimed  partial  order  relation  Logic  Conformance  provides  a  significantly  more  practical 
notion  of  “equivalence”  between  untimed  CCS  agents  but  it  does  not  generally  preserve  modal-logic 
or  //-calculus  properties. 

The  three  representative  timed  modeling  formalisms  Timed  Calculus  of  Communicating  Sys¬ 
tems  (TCCS),  Calculus  of  Timed  Refinement  (CTR),  and  timed  processes  have  some  expressiveness 
problems: 

•  Upper  and  lower  time  bounds  (bi-bounded  delays)  are  difficult  to  define  in  TCCS. 

•  The  maximal-progress  semantic  leap  from  two  processes  waiting  individually  to  perform  their 
actions  to  cooperating  processes  that  cannot  wait  to  perform  their  cooperative  actions  is  a 
fidelity  problem  for  both  TCCS  and  CTR. 

•  General  temporal  relationships  between  actions  that  do  not  sequentially  follow  each  other  are 
impossible  to  express  in  TCCS  and  CTR. 
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•  Timed  processes  support  expressing  general  temporal  relationships  between  actions,  but  they 
are  quite  complicated  because  they  use  state  functions  to  define  outputs  and  invariants,  and 
sequences  of  events  to  define  process  semantics. 

This  chapter  referenced  the  timed  “equivalence”  relationships  timed  bisimulation  and  weak 
timed  bisimulation  for  TCCS  agents.  It  defined  the  timed  “equivalence”  relationships:  CTR- 
refinement  for  CTR  agents;  and  timed-simulation  and  timed  implementation  between  timed  pro¬ 
cesses. 

It  also  described,  defined,  and  critiqued  the  assumes-guarantees  verification  methodology  used 
with  the  most  expressive  formalism — timed  processes.  At-best  the  most  expressive  and  practical 
modeling  and  verification  task  is  formidable  because  of  the  circular  dependencies  between  the  envi¬ 
ronment  and  the  system  inherent  in  the  assumes-guarantees  verification  methodology.  The  iterative 
nature  of  generating  accurate  abstractions  and  using  them  to  simplify  verification  computations 
forces  one  to  always  consider  the  entire  system  in  the  verification  or  reaccomplish  many  “equiva¬ 
lence”  checks  to  verify  the  verification.  And,  the  most  advanced  tool,  COSPAN,  requires  the  user 
to  supply  an  untimed  simulation  relation  between  the  states  of  the  systems  being  compared  instead 
of  directly  computing  it. 

Designers  need  a  “simple”  modeling  formalism  that  powerfully  expresses  the  relationship 
between  behavior  and  time.  There  must  be  a  way  to  factor  the  timing  properties  of  the  environment 
into  the  verification  process  without  building  many  different  models  of  the  environment  and  using 
them  to  “verify  the  verification.”  Designers  need  a  formal  mathematical  relationship  that  accurately 
defines  an  acceptable  implementation  relation  between  models  in  a  practical  way  that  can  be 
computed  efficiently  without  a  lot  of  user  input  required. 
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III.  Timed  Safety  Automata 

The  first  step  towards  addressing  the  shortcomings  revealed  in  Chapter  II  is  rhnnsing  a  simple  and 
expressive  formalism  as  a  timed  model  for  concurrent  systems.  This  chapter  formally  defines  the 
Timed  Safety  Automata  (TSA)  formalism  used  in  this  research  to  specify  and  model  timed  system 
behavior.  This  TSA  model  is  simpler  than  COSPAN  timed  processes,  but  at  the  same  time  it 
suffers  none  of  the  expressiveness  problems  associated  with  untimed  process  algebras,  TCCS  and 
CTR.  The  TSA  formalism  has  been  extensively  studied  and  has  been  widely  used.  For  a  formal 
exposition  of  TSA  expressiveness  and  computational  complexity  see  (AD94).  In  this  research,  a 
flavor  of  TSA  with  both  location  and  transition  predicates  and  action-labeled  transitions  is  used 
to  model  digital  circuits. 

The  chapter  includes  basic  TSA  definitions,  TSA  semantics,  TSA  modification  rules,  and 
TSA  parallel  composition  rules.  The  following  TSA  definition  is  based  on  Sokolsky’s  (SS95).  It 
supports  a  dense-time  model  of  time  with  the  non-negative  real  numbers  K  =  [0,oo),  and  time 
constants  from  the  non-negative  integers  Z  =  {0, 1,2, ...}. 

3.1  Basic  TSA  Definitions 

Definition  14.  TSA.  Let  T  denote  the  set  of  TSA.  Given 

-  clock;  A  clock  ^  is  an  R-valued  variable.  Let  C  be  the  set  of  clock  variables. 

-  clock  constraint;  A  clock  constraint  is  an  expression  of  the  form  ^  R  c  where  ^  6  C, 
R  €  {<,  >,  <,  >},  and  c  6  Z. 

clock  assignment;  Given  the  ordered  set  H  =  Q  C,  a  clock  assignment 

^  G  K"  is  an  instantiation  of  3. 

-  idling;  ir  +  d  =  {xi+d, ...,  a:„  -t-  d)  d  e  K. 
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-  clock  reset;  Given  t?  C  S,  a  clock  reset  n[7]  :=  0]  projects  a  clock  assignment  tt  to  a  new 
clock  assignment  where 

0  (Ci  e  v) 
i^i  ^  v) 


Tf[T]  :=  0](f)i  =  { 


-  region;  A  region  p  is  a  connected  subset  of  W  formed  by  a  conjunction  of  clock  constraints. 
Let  TZ  be  the  set  of  regions  in  E” . 


-  input  action — name;  a  £  A. 

-  output  action — coname;  a  G  =  a,  (also,  a  =  a.  in  this  work). 

-  Labels;  L  =  .4  U 

-  r  ^  L  the  invisible  internal  action. 

«  location;  {I,  pi),  where  I  is  unique  location  name,  and  pi  is  a  past-closed  region  called  a 
location  invariant.  A  region  p  is  past-closed  when  it  includes  time  5  i.e.,  given  that 
p  ^  g  4^  V  z  €  [l..n]\pi  <  Qi]  then 


V  p  €  p[V  d  e  W^[6  ^  d  ^  p  ^  d  e  p]] 


Note  that  only  clock  constraints  with  R£  {<,<}  result  in  past-closed  regions. 
A  TSA  T  ET  is  a  5-tuple  T  =  {C,Act,E,{lo,po),\ — y),  where 

-  C  is  a  finite  set  of  locations. 

-  Act  =  L  U  {r}  is  a  set  of  actions  ranged  over  by  a. 

-  E  CC  is  a  set  of  n  R- valued  clocks. 

-  {lo,po)  €  C  is  the  start  location,  where  initially  ^  G  po  =  0* 
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-  ' — ^  X  Act  X  72.  X  P(S)  X  jC,  is  a  transition  relation,  where  each  transition  is  labeled  by  an 
action,  a  region  (called  a  guardj,  and  a  set  of  clocks  that  are  reset  to  0  when  the  transition 
occurs  (note  P(S)  denotes  the  powerset  of  3). 

Transition  guards  are  derived  from  clock  constraints,  and  they  are  interpreted  as  necessary  condi¬ 
tions  for  the  transition  to  occur.  Location  invariants  are  also  derived  from  clock  constraints,  and 
they  restrict  the  amount  of  time  the  automata  can  stay  in  the  associated  location.  Location  invari¬ 
ants  are  therefore  interpreted  as  sufficient  conditions  to  cause  a  transition  to  occur  (HNSY94:209). 
They  cause  transitions  to  occur  when  time  passing  forces  a  change  of  location  to  avoid  n  ^  pi. 
Location  invariants  are  also  necessary  conditions  for  the  TSA  to  be  in  the  associated  location. 
Unspecified  (empty)  guards  and  invariants  are  defined  to  be  the  region  R”  (always  satisfied).  In¬ 
formally,  TSA  operate  by  taking  instantaneous  transitions  from  location  to  location.  When  no 
transitions  occur,  TSA  idle  in  a  location  {l,pi)  passing  time  by  incrementing  all  clocks  €  tt  by 
d  6  R  such  that  Vs  location  invariant  is  satisfied — i.e.,  T:  +  de  pi .  Without  loss  of  generality,  only 
non-Zeno  TSA  are  considered.  Non-Zenoness  is  a  liveness  condition  that  asserts  time  can  always 
progress  (HNSY94:203).  No  generality  is  lost  by  excluding  Zeno  automata  because  any  well-formed 
Zeno  TSA  can  be  transformed  to  a  non-Zeno  one  by  strengthening  invariants.  Non-Zeno  automata 
consistently  model  the  fact  that  time  relentlessly  progresses. 

3.2  TSA  Semantics 

The  semantics  of  TSA  are  defined  via  Dense  Labeled  Transition  System  (DLTS)  automata 
with  uncountable  state  sets. 

Definition  15.  TSA  Semantics.  Let  D  denote  the  set  of  DLTS  automata.  Every  TSA  T  = 
(£,  Act,  H,  {lo,Po),  I — >}  induces  a  DLTS  automaton  V  =  (S,  Act,  — (/o,  5))  such  that: 
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‘  S  is  a  set  of  timed  states  defined  by  the  following  rule: 


y{l,Pi)  G  ^  Pi  ^  (/,7f)  e  S]  (5) 

Si  C  S  and  5s  C  5  are  sometimes  used  to  distinguish  between  the  implementation  and 
specification  DLTS  state  spaces, 

-  Act  =  L  U  {r}  a  set  of  actions  ranged  over  by  a. 

-  (/ojO)  the  start  state  assigning  0  to  every  clock. 

-  — yC  S  X  {ActU  E)  X  5  zs  a  transition  relation  defined  by  the  following  two  rules: 

{I, pi)  {l\ pi>)  An  £  p Att  e  Pi  Att[7]  0]  e  pv  ^  (/, n)  (/', 7t[T}  :=  0])  (6) 

(l^pi)  e  S  AS  eMAn^n  +  5  e  pi  {l,^)  (l^n  +  S)  (7) 

In  Rule  6,  DLTS  V  transitions  from  location  I  to  V  via  action  a.  No  time  passes,  but  all  clocks  in 
T?  C  E  are  reset  to  0.  Clock  assignment  tt  must  satisfy  both  pi  and  p,  and  clock  reset  n[7}  :=  0]  must 
satisfy  pif.  Under  rule  6,  timed  state  {l\n[r}  :=  0])  is  a  transition  successor  of  timed  state  {/,??). 

In  Rule  7,  DLTS  V  stays  in  location  I  with  time  delay  S  if  both  tt  and  n +  5  satisfy  pi.  Under 
rule  7,  timed  state  {V^nAS)  is  a  time  successor  of  timed  state 

3.3  TSA  Modifications 

As  in  process  algebras,  TSA  transition  relations  can  be  modified  to  generate  new  TSA.  The 
named  process-algebra-style  rules  for  generating  new  TSA  are  defined  as  follows: 

Definition  16.  TSA  Modification  Rules.  Let  A  £  C^L  CL,  then 

y  a£Lj  £A 
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Res: 


Hid: 


Rel: 


A! 


A\lV^  A!\L 


(a^L) 


A/L  A'/L 
A"^  A! 
A[f]  A>[f] 


(Iglul) 


Rule  Res  deletes  transitions  by  restricting  the  transition  relation  by  a  set  of  actions  L  CL  (recall 
that  L  is  the  set  of  visible  actions  not  including  r  or  (5  €  E).  Only  actions  not  in  L  remain  in 
{A  \  L)'s  transition  relation. 

Rule  Hid  turns  output  actions  into  hidden  actions  (r’s).  This  rule  makes  it  impossible  for 
other  TSA  to  interface  with  AjL  using  1.  Hid  does  not  delete  any  transitions  from  A;  it  just  relabels 
outputs  whose  name  or  coname  are  members  of  L.  Hid  is  particularly  important  for  internalizing 
the  cooperative  actions  of  parallel  composed  TSA  as  discussed  in  Section  3.4. 

Rule  Rel  relabels  transitions.  The  change  is  specified  by  a  function  /  :  L  ->  L,  where  the 
convention  is  to  specify  /  by  a  list  of  label  pairs  (new,  old)  relating  old  labels  of  A  with  the  new 
labels  of  A[f].  Relabeling  does  not  change  inputs  into  outputs  or  vice-versa;  i.e.,  for  n,  o  €  L  and 
(n,o),  a  relabeling  specification  pair,  then  f{o)  =  n,  and  /(o)  =  n. 


3.4  Parallel  TSA  Composition 

Specifying  the  behavior  of  complex  implementations  as  single  flat  TSA  is  too  tedious.  Gen¬ 
erally,  in  hardware  and  software  design  processes,  systems  are  built  and  understood  hierarchically; 
i.e.,  the  entire  system  is  composed  of  subsystems,  which  are  composed  of  sub-subsystems,  which 
are  composed  of  sub-sub-subsystems, ...,  until  at  the  lowest  level  of  abstraction  simple  well  defined 
design  primitives  are  used.  Modern  structured  analysis  leads  to  hierarchical  software  systems,  and 
the  design  primitives  are  typically  programming  language  statements  or  library  functions  and  pro¬ 
cedures.  The  process  is  similar  for  hardware  systems,  except  that  the  primitives  are  logic  gates. 
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transistors,  or  standard  cells.  Logically,  designers  usually  think  of  the  components  fimctioning  in 
parallel,  generally  independent  of  each  other  except  for  the  specific  dependencies  implied  by  then- 
connections  with  each  other.  However,  if  the  system  is  a  software  system  on  a  uniprocessor,  the 
actual  processes  may  run  serially  or  in  a  time-sharing  environment. 

Figures  4  and  5  show  the  schematic  for  a  C-element  implementation  and  a  corresponding 
Timed  Logic  Conformance  System  (TLCS)  parallel  TSA  specification. 


Figure  4.  C-element  Schematic. 


tsa ( [c_eltOOO , AndMin , AndMeix , OrMin , OrMax] , CE)  :  - 
parallel ( [ [ [andOOO , AndMin , AndMax] , [ [ab , c] ]  ]  , 

[ [andOOO , AndMin , AndMax] , [ [c , b] ,  [ac , c] ] ] , 

[ [andOOO , AndMin , AndMax] , [ [b , a] ,  [c , b] ,  [be , c] ] ] , 

[[orOOOO, OrMin, OrMax],  [[ab,a],  [ac,b],  [bc,c],  [c,d]]]], 
[ab ,  ac ,  be] , 

CE). 


Figure  5.  Parallel  C-element  Example. 

The  C-element  is  composed  of  three  2-input  Antfe,  and  a  single  3-input  Or.  The  timing  of 
the  And  and  Or  TSA  are  specified  with  the  variables  AndMin,  AndMax  and  OrMin,  OrMax.  The 
list  of  pairs  following  each  component  instantiation  (e.g.,  [new, old] )  rename  the  default  input  and 
output  names  to  the  new  names  in  the  circuit.  The  list  of  names  following  the  list  of  components 
(i.e.,  [ab,  ac,  be])  are  the  hidden  internal  connections  of  the  C-element;  they  are  not  available 
for  connection  to  the  world  outside  of  C-element,  and  they  become  the  internal  r  actions  of  the 
C-element  component. 
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Formally,  the  relationship  between  the  parallel  TSA  definition  and  the  definitions  of  its  com¬ 


ponents  is  as  follows: 

Definition  17.  Parallel  TSA.  Let  Tp  =  {Cp,Actp,Ep,{lo,po)p,^-^p)  be  the  parallel  TSA  con¬ 
structed  ofn  TSA,  each  distinctly  denoted  byTi  =  {Ci,Acti,Ei,{lo,po)i,>—>i)  then, 


Cp 

C 

iCi  X  £2  X  . . .  X  £„ 

(8) 

Actp 

c 

IJ  Act, 

(9) 

t€{l...n} 

c 

U  a- 

(10) 

t€{l...n} 

(^0)  Po)p 

A 

((^0)  Po)l)  {lo,Poh,  ■■■,  (lo,  Pojn) 

(11) 

I — ^p 

c 

Cp  X  Actp  X  71  X  P{Ep)  X  Cp 

(12) 

The  locations  of  the  parallel  TSA  (elements  of  the  set  Cp)  are  denoted  by  a  sequence  of  locations 
of  its  subcomponents  called  a  location  vector.  The  initial  location  vector  of  the  parallel  TSA 
((^0,  Po}p)  consists  of  the  initial  locations  of  every  component.  Except  for  the  initial  location  vector, 
Tp's  definition  is  not  complete;  the  exact  subsets  are  defined  inductively  based  on  the  initial  location, 
subcomponent  definitions,  and  the  Definition  18  named  rules  governing  communication  between 
Tp's  subcomponents.  Parallel  TSA  location  vector  invariants  are  logically  the  intersection  of  time 
regions  formed  by  conjuncting  the  clock  constraints  of  the  sub-component  location  invariants.  The 
transition  relation  i — >p  is  derived  from  the  tremsition  relations  of  the  subcomponents  using  the  rules 
starting  from  the  initial  location  vector  {lo)Po)p’  The  set  of  actions  of  the  parallel  composition  Actp 
are  also  derived  from  UAct,  as  defined  by  induction  over  the  rules.  Reached  location- vectors  are 
added  to  set  Cp,  and  new  actions  possible  from  added  locations  are  added  to  set  Actp.  Clocks 
referenced  in  added  locations  and  new  transitions  are  all  included  in  set  Sp. 
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Definition  18,  Parallel  TSA  Composition  Rules.  Let  i,j  G  [l..n],i  ^  j,  A  e  SuB  G  Sj  be 
locations  of  two  subcomponents  in  the  parallel  TSA  %>,  then  the  sets  of  locations  Cp,  actions  Actp, 
and  transitions  \ — ^p  are  defined  inductively  by  rules: 


V I  £  A,i  e  A,cr  e  Act 


Singlel: 

Single2: 

Coml: 

Com2: 

ComS: 


A  A'  _ 

A\\B  A'\\B^^'^ 

B  B' 

A\\B^lA\\B'^''’‘' 


^Lb) 


A'l^i  A'  B' 

A\\B  A'\\B' 


A  A' A  B  *1^7  B' 
A\\B  A'\\B' 


A  A' A  B  B' 
A\\B  A'\\B' 


Output  alphabets  of  the  component  TSA  must  be  disjoint;  Le,, 


^  hj  ^  ^  j  ^  ((-^t  ^  -^j)  —  ^)] 


More  than  one  component  outputting  the  same  action  is  considered  an  error  and  the  composition 
is  not  defined. 

Although  the  parallel  composition  rules  are  specified  for  only  two  TSA  locations  at  a  time, 
they  are  commutative  and  associative^  and  extend  by  composing  two  TSA  locations  at  a  time  to 
produce  a  new  parallel  TSA  location  which  is  again  composed  with  the  adjacent  TSA  locations 
until  the  composition  is  complete. 

^The  Boolean  and  set  operations  are  all  commutative  and  associative,  and  the  rules  are  specified  in  symmetric 
pairs  where  necessary. 
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TSA  locations  A  and  B  composed  by  rules  Singlel  and  Single2  continue  to  perform  internal 
actions  and  visible  actions  not  in  each  other’s  language  by  name  or  coname.  None  of  the  actions  for 
the  gate-level  TSA  composed  together  in  Figure  4  are  independent  of  each  other,  so  rules  Singlel 
and  Single2  do  not  induce  any  C-element  transitions  in  this  example. 

Rule  Coml  allows  multiple  TSA  to  input  together.  Whenever  the  parallel  TSA  is  in  a  from- 
location  where  the  locations  of  all  components  sharing  a  common  input  action  a  can  perform  an  a 
action,  there  is  a  parallel  TSA  a  action  to  a  to-location  vector  where  all  components  sharing  the 
Q  action  are  updated  to  the  to-locations  of  their  a  transitions,  and  the  non-a-capable  component 
locations  are  equal  in  the  from  and  to-location  vectors.  Receiver  transition  guards  are  conjuncted 
(i.e.,  their  regions  pa  and  pb  are  intersected),  and  reset  sets  are  unioned  together  in  the  parallel 
action.  This  case  is  illustrated  by  the  a-input  shared  by  the  top  two  Ancfe  in  Figure  4.  Whenever 
both  Ands  (all  receivers)  are  in  a  location  that  can  perform  an  o,  there  is  a  parallel  TSA  a  action 
to  the  new  location  vector  where  both  Ands  (all  a  receivers)  move  to  their  a-transition  destination 
locations.  If  one  or  more  receivers  cannot  perform  the  shared  input  action,  no  parallel  transition 
is  defined. 

Rules  Com2  and  Com3  generate  output  actions  when  two  or  more  TSA  cooperate  on  an 
output  and  its  complementary  input  action.  Used  with  the  Hid  TSA  modification  rule,  Com2  and 
Com3  internalize  cooperative  actions,  turning  them  into  r’s.  When  the  parallel  output  action  is 
not  hidden,  it  remains  an  output  of  the  composition.  The  unhidden  case  is  illustrated  by  the  Ore 
output  and  the  c-input  shared  by  the  bottom  two  Ands  in  Figure  4.  Whenever  all  three  gates  are 
in  a  location  where  they  can  perform  the  c  or  c  action,  there  is  a  parallel  TSA  c  action  where  all 
three  gates  move  to  their  c-c-destination  locations  in  the  location  vector.  By  convention,  Com2 
and  Com3  keep  the  coname  label;  this  supports  building  parallel  TSA  that  can  export  an  output 
that  communicates  to  TSA  in  the  parallel  composition  as  well  as  those  external  to  the  composition. 
The  hidden  action  case  is  illustrated  by  the  top  And  ab  output  and  the  Or  a6-input  in  Figure  4. 
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Whenever  the  top  And  is  in  a  location  where  it  can  perform  the  ^  and  the  Or  can  perform  the 
ab  action,  there  is  a  parallel  TSA  r{ab)  action  where  both  gates  move  to  their  aft-at-destination 
locations  in  the  location  vector. 

This  formalization  of  parallel  composition  is  synchronous  since  it  does  not  allow  the  individual 
cr-actions  of  one  component  to  occur  independently  of  other  components  when  they  can  also  perform 
(7  or  a.  This  means  that  they  strongly  influence  each  other’s  behavior,  but  it  faithfully  models  the 
reality  of  hardware  components  connected  by  wires  strongly  influencing  each  other. 

3.5  Summary 

This  chapter  formally  defines  a  “simple”  and  expressive  Timed  Safety  Automata  (TSA)  model 
of  computation.  It  includes  basic  TSA  definitions,  TSA  semantics,  rules  for  modifying  TSA,  and 
rules  and  examples  defining  parallel  TSA  composition.  TSA  are  well  suited  to  modeling  hardware 
components  because  they  does  not  suffer  the  deficiencies  recognized  in  Chapter  IL 

This  Mealy  machine  TSA  model  is  simpler  than  the  Moore  machine  COSPAN  timed  process 
model  because  it  does  not  define  output  by  associating  functions  with  locations,  and  it  requires 
about  half  of  the  rules  CTR  requires  (10  vs.  21)  to  define  model  semantics  and  composition. 

TSA  suffer  none  of  the  expressiveness  problems  associated  with  untimed  process  algebras, 
TCCS  and  CTR.  Upper  and  lower  time  bounds  (bi-bounded  delays)  are  easily  defined  using  TSA 
location  invariants  and  transition  guards.  The  maximal-progress  semantic  leap  (from  two  processes 
waiting  individually  to  perform  their  actions  to  cooperating  processes  that  can  not  wait  to  perform 
their  cooperative  actions)  does  not  exist  in  the  Definition  18  TSA  parallel  composition  rules.  And 
general  temporal  relationships  between  actions  that  do  not  sequentially  follow  each  other  are  easy 
to  express  in  TSA  by  resetting  a  clock  and  freely  using  clock  predicates  to  define  the  relationship. 
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IV.  Timed  Logic  Conformance 


Following  Ken  Stevens’  bisimulation-based  Logic  Conformance  relation  (Ste94),  this  chapter 
defines  a  timed  relation  called  Timed  Logic  Conformance  (TLC,  also  written  as  o^*)  for  Timed 
Safety  Automata  (TSA)  based  on  DLTS  semantics.  TLC  enforces  a  time-interval-based  relation¬ 
ship  between  times  when  implementation  actions  can  occur  relative  to  specification  actions.  It 
also  maintains  ^/’s  partial  order  relationship  between  specification  and  implementation  actions. 
TLC  loosens  the  standard  bisimulation-based  strict  timed-equivalence  requirement  formalized  by 
Wang  (Wan90),  Cerans  (Cer92),  Alur,  Courcoubetis,  Henzinger  (ACH94),  and  others  (LY93).  In¬ 
stead  of  strict  timed-equivalence  a  partial  order  relating  the  states  of  two  systems  over  the  time 
intervals  when  actions  are  enabled  is  defined.  The  partial  order  requires  that  implementation  inputs 
are  a  timed  superset  of  specification  inputs^ ,  and  that  implementation  outputs  are  a  timed  subset  of 
specification  outputs.  For  example,  o:^i  will  relate  TSA  implementation  (!)  and  specification  (5) 
such  that  I  o'^i  S  \S.  I  y I  S  and  all  output  actions  of  I  occur  within  the  time  intervals  observed 
for  5’s  output  actions  and  all  input  actions  of  S  occur  within  the  time  intervals  observed  for  /’s 
input  actions. 

TLC  is  different  from  other  loose  timed-refinement  relations  (ACD90,  Dan92,  CGL93,  Cer95). 
In  particular,  o'^i  turns  around  the  standard  definition  that  typically  requires  implementation 
input  actions  to  be  a  timed  subset  of  specification  input  actions.  This  change  is  motivated  by 
common  sense  that  argues  one  cannot  safely  substitute  an  implementation  that  does  not  accept  all 
of  the  inputs  accepted  by  the  specification.  TLC  does  not  require  designers  to  specify  behaviors 
for  all  possible  inputs  in  all  locations  at  all  times  and  it  allows  implementations  that  accept  more 
inputs  than  the  specification.  In  contrast  to  the  assumes-guarantees  verification  methodology,  TLC 
supports  declaring  the  input  constraints  of  the  specification  and  implementations  and  using  them 
to  decompose  the  problem  into  independent  pieces  in  a  simple  and  powerful  way.  It  does  not 
^Exceptions  to  the  I  S  half  of  the  TLC  relationship  are  allowed  under  certain  circumstances;  see  Def.  28. 
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require  many  different  abstract  models  of  each  component’s  environment  or  iterating  over  extra 
verifications  to  “verify  the  verification.” 

Before  defining  the  TLC  relation  itself,  the  next  section  leads  up  to  it  by  defining  how  to 
abstract  internal  structural  differences  between  TSA.  Section  4.2  defines  a  weak  timed  bisimulation 
equivalence  relation  that  will  be  used  later  to  show  that  TLC  is  a  partial  order.  After  that,  Sec¬ 
tion  4.3  defines  how  to  abstract  temporal  differences  between  TSA.  Then  Section  4.4  defines  TLC, 
and  Section  4.5  explains  an  example.  Section  4.6  compares  TLC  to  other  relations.  Sections  4.7 
and  4.8  define  and  prove  the  necessary  properties  of  the  TLC  relation.  Finally,  Section  4.9  discusses 
the  TLC  verification  methodology. 


4.1  Abstracting  Internal  Differences 

As  for  ^/,  internal  behavior  is  abstracted  into  r-transitions,  and  internal  state  changes  that 
are  matched  by  a  TSA  staying  in  an  equivalent  state  are  ignored.  Recall  r  G  Act  is  a  distinguished 
element  of  Act^  and  let  hatted  Greek  letters  like  a  formalize  when  r  actions  may  sometimes  be 
matched  by  staying  in  the  same  state  and  passing  zero  time  as  follows: 


Definition  19.  r-abstraction:  3. 


Va€>lc£UR  3  =  < 


0,  t/  a  =  r 
a,  if  a  ^  T 


To  further  loosen  implementation  and  specification  action-matching  requirements,  the  transi¬ 
tion  relations  of  the  systems  are  extended  by  transitively  closing  them  over  certain  action  sequences. 


Definition  20.  r-closure:  P  Q.  A  DLTS  transition  relation  R  C  {S  x  {Act  U  E)  x  5)  is 
r -transitive  if  whenever 


p{^y-^{^yQ  A  a  e  Act  UR  ^ 
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pi4(-4)*Ag  A  <7  =  Ji  +  J2 
exists  in  R  then  P  Q  also  exists  in  R, 

The  T-closure  of  a  DLTS  transition  relation  RC{Sx  {ActU  R)  x  5),  is  the  relation  R  such 

that 

L  R  is  T-tran$itive, 

2.  R  D  R, 

3.  For  any  r-transitive  relation  R”,  ii"  D  i2  iZ"  D  R. 

Transitions  from  state  P  to  state  Q  by  action  a  in  r-closure  are  denoted  by  P  Q.  The  predicate 
P  is  true  when  there  is  at  least  one  transition  from  state  P  via  action  a  G  Act  U  R.  No  actions 
are  time  abstracted  in  r-closure,  but  the  r-closure  relation  models  tau-abstracted  actions.  The 
r-closure  is  used  to  extend  transition  relations  and  ignore  internal  actions  resulting  from  structural 
differences  that  do  not  matter. 

4-2  Weak  Timed  Bisimulation 

Weak  Timed  Bisimulation  is  an  equivalence  relation  for  DLTS  automata  that  will  shortly  be 
used  to  show  that  Timed  Logic  Conformance  is  a  partial  order. 

Definition  21.  Weak  Timed  Bisimulation:  W. 

A  binary  relation  W  C  5/  x  55  over  DLTS  automata  states  is  a  weak  timed  bisimulation 
between  two  DLTS's  (5/,  Act/, — ^/,  (/o,7ro)/),  and  {Ss.Acts, — ^5,  (io,7ro>s),  iff 

V(J,5)G  W,7eActUR[ 


V  5'  [5  ^  S' 

=>  3/'  >V]]A 

(13) 

V  r 

=►  3S'[s^s'A(r,s')e  w]]] 

(14) 

Some  properties  of  weak  timed  bisimulation  are  preserved  by  various  operations  on  relations  over 
DLTS  state  spaces.  Let  the  identity  /d,  converse  of  a  binary  relation  TZ,  and  the  composition 


50 


Tl\Tl2  of  binary  relations  be  defined  as  follows: 


Id  =  {(a;,  a;)  I  are  5}  (15) 

=  {(a;,2/>  I  €7e}  (16) 

=  {(p,r)  I  (p,9>  G  ^1  A  {q,r)  €  112)  (17) 

Lsmnia  1  Asstine  that  each  Wj  (i  =  1,2,...)  is  o  weak  tinied  bisimulation,  then  the  following 
relations  are  all  weak  timed  bisimulations. 

(1)  Id  (3)  W1W2 

(2)  W-i  (4)  IJWi 


Proof 

1.  Id:  V  P  G  5, 7  ^  Act  U  M  each  transition  P  — ^  P^  can  be  matched  by  itself  in  the  superset 
transition  relation  P  P',  and  P  P'  =*.  (P  p  ^  p'  -L).  p')  (p  p 

P'  p')  (p  ^  p')  p>^  therefore,  ((P,P)  e  Id  A  P  P')  =>  P  ^ 

P'(P',P')  G  Id,  and  therefore,  Id  is  a  weak  timed  bisimulation. 

2.  Wf  Given  any  weak  timed  bisimulation  Wj  V  (S,  J)  e  >V,"\7  G  i4ct  U  K  all  transitions 

S  ^  S'  and  I  I'  are  matched  by  transitions  /  /'  and  S  ^  5'  and  (5',  P)  G 

therefore  is  a  weak  timed  bisimulation. 

3.  W1W2:  Given  two  weak  timed  bisimulations,  Wi  and  W2,  and  the  composition  of  those 
bisimulations,  W1W2)  the  proof  proceeds  by  assuming  (P,  Q)  G  Wi  A  (Q,  P)  G  W2  A  (P,  R)  G 
Wi  W2  and  showing  that  for  all  possible  actions  that  must  be  matched  in  Formulas  13  and  14 
in  Def.  21,  the  actions  are  matched  across  the  composition  and  {P',R')  G  W1W2. 
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(a)  Formula  14:  Since  Wi  is  a  weak  timed  bisimulation  all  transitions  P  P'  are  matched 
by  transitions  Q  Q'. 

i.  (Def.  20,  first  disjunct):  Since  W2  is  a  weak  timed 

bisimulation  ,  according  to  Formula  14,  every  QS  Q  -4  QMs  matched  by  some 
P}  such  that  R  A  (Q^,iZ*)  G  W2-  This  is  true  inductively  for  more  t  £  t* 

and  Q”*  and  R}  RJ^  according  to  Formula  14.  According  to  Formula  14 
whether  7  =  0  or  7  =  7,  Q™  ^  Q"  is  matched  by  some  P"  such  that  P™  ^ 
P"  A  {Q",P"}  €  W2.  Finally,  by  Formula  14  any  sequence  of  r’s  in  Q"  Q'  is 
matched  by  P”  ^  P'  A  (Q',R')  G  W2.  And,  by  Def.  20,  (P  P*”  P" 
R')=i^R=^R' 

ii.  Q  Q'  A  7  =  (Ji  +  J2  (Def.  20,  second  disjunct):  Since  W2  is 

a  timed  logic  conformation,  according  to  Formula  14,  Q"*,  Q  Q”*  is  matched 
by  some  P*"  such  that  P  P*"  A  (Q^.P”*)  g  W2.  Likewise,  by  Formula  14 

any  sequence  of  r’s  in  Q"'  <3"  is  matched  by  P”*  ^  P"  A  (Q”,P")  g  W2. 

Finally,  Formula  14  ensures  that  all  Q',  C?"  Q'  are  matched  by  some  P'  such 
that  P"  ^  P'  A  (g',P')  G  W2.  And,  by  Def.  20,  (P  P"*  P"  P') 

p=4p' 

Therefore,  P  P'  A  (P',P')  G  VV1W2  by  the  definition  of  composition  (Formula  17). 

(b)  Formula  13:  By  reasoning  from  right  to  left  in  the  same  way,  all  transitions  P  R' 
are  matched  by  transitions  Q  ^  Q'  and  P  P'  A  (P',P')  G  W1W2,  so  >ViW2  is  a 
weak  timed  bisimulation. 

4.  U  Wj:  V  {I,S)  G  U  Wii7  ^  U  ®  all  transitions  5  S'  and  I  P  are  matched  by 
transitions  /  P  and  5  S'  from  some  Wf  in  the  union  and  (P,5')  G  Wi  ^  G 

U  Wj  therefore  (J  is  a  weak  timed  bisimulation.  □ 
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Def.  21  does  not  uniquely  identify  a  particular  relation  (e.g.,  0  is  a  weak  timed  bisimulation).  The 
definition  is  strengthened  here  by  referring  to  the  largest  weak  timed  bisimulation  (i.e.,  maximal 
fixpoint)  or  union  of  timed  bisimulations. 

Definition  22.  Weak  Timed  Bisimulation  Maximum  Fixpoint:  W. 

Given  two  DLTS's  {Si,  Act j, — >i,{lo,iro)i),  and  {Ss,Acts,--^s,Qo,'^o)s), 

W  =  %  is  a  weak  timed  bisimulation 

nePiSixSs) 

Theorem  1  Given  Def,  22,  W  is  the  largest  weak  timed  bisimulation. 

Proof 

By  Lemma  1(4),  IV  is  a  weak  timed  bisimulation  and  by  definition  it  includes  any  other  such. 

□ 

Now  DLTS  automata  are  related  to  one  another  using  maximum  weak  timed  bisimulations. 

Definition  23.  Weak  Timed  Bisimilar  DLTS: 

Two  DLTS's  I  =  {Si,Acti, — (/o,7ro)/),  and  S  =  {Ss,Acts, — are  weak 
timed  bisimilar  (written  I  ^  S)  iff 


{(^o,7ro}/,(Zo,7ro)5)  €  W 

Theorem  2  Given  Def.  22,  fy  ts  an  equivalence  relation. 

Proof 

1.  Reflexivity:  For  any  DLTS  P,  P  s»  P  by  Lemma  1(1)  since  {(lo,‘iro)p,  {lo,Tro)p)  €  W. 
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2.  Symmetry:  For  two  DLTS  P  and  Q,  P  ta  Q  Q  k  P  since  {{lo,iro)p,{lo,iro)Q)  6>V=>- 
{{lo,T^o)Q>{h>'’^o)p)  €  W”^  per  Lemma  1(2)  . 

3.  Transitivity:  For  three  DLTS  P,  Q,  and  R,  P  fa  Q  AQ  m  Rz^  P  m  Rhy  Lemma  1(3)  since 
((^o.7ro)p,(Zo)7ro)Q)  e  Wi  A{{lo,no)Q,{lo,Tfo)R)  ^  W2  =>  ((lo,7ro)p,  (/o,7ro)«)  €  Vt^VV2.  □ 

Now,  the  equivalence  relation  fa  between  DLTS  is  established.  It  relates  two  DLTS  that  are 
observationally  equivalent  with  respect  to  their  external  actions  despite  the  fact  that  they  may 
have  significantly  different  internal  action  sequences.  Weak  timed  bisimiilation  does  not  yet  allow 
the  timing  of  two  DLTS  to  vary. 

4.3  Abstracting  Temporal  Differences 

In  order  to  allow  the  inputs  of  the  implementation  to  be  a  timed  superset  of  specification 
inputs,  and  the  outputs  of  the  specification  to  be  a  timed  superset  of  implementation  outputs, 
further  abstraction  operations  are  defined  by  closing  transition  relations  over  time-passing  actions 
under  certain  conditions. 

Definition  24.  Input-d-r-CIosure:  P  =^i  Q.  A  DLTS  transition  relation  R  C  (S  x  (Act  U 
K)  X  S)  is  input-6 -T -transitive  if  whenever 

A  cr  e  U  R  V 
A  a  =  Si  +  62  V 
A  O’  G  A)  61, 62  G  R 

exists  in  R  then  P  Q  also  exists  in  R. 

The  inputs -T -closure  of  a  DLTS  transition  relation  RC(Sx  (ActU  R)  x  5),  is  the  relation 
R'  such  that 

1.  R'  is  input-5 -r -transitive, 

2.  R  D  R, 

3.  For  any  input-S-r -transitive  relation  R” ,  R”  D  R=^  iZ"  D  R, 


P(-4)* 


pA(-4) 


i-^rQ 

S2 


Q 


^2, 


54 


IVansitions  from  state  P  to  state  Q  by  action  g  in  input-J-r-closure  are  denoted  by  P  Q. 
The  predicate  P  =^i  is  true  when  there  is  at  least  one  transition  from  state  P  via  action  a  e 
i4ctUK.  Input-(5-r-cIosure  models  time-and-tau-abstracted  input  actions.  Outputs,  r,  and  S  actions 
themselves  are  not  time  abstracted.  Input-J-r-closure  extends  specification  transition  relations  to 
match  implementation  behaviors,  but  it  does  not  allow  the  timing  of  outputs,  (5’s,  or  r’s  to  vary. 

Definition  25.  Output-<5-r-Closure:  P  =^<,  Q.  A  DLTS  transition  relation  P  C  (5  x  {Act  U 
E)  X  S)  is  outputs -T -transitive  if  whenever 

P{-^y {-^)*Q  A  a  €  Actyj'K  V 
p  J4(-4r  At?  A  a  =  ^i+<52  V 
P  — ^  ^  C?  A  (T  €  .4,  (5i ,  (52  £  E 

exists  in  R  then  P  Q  also  exists  in  R, 

The  outputS-T -closure  of  a  DLTS  transition  relation  P  C  (5  x  {Actli  E)  x  S),  is  the  relation 
R  such  that 

1.  R  is  outputs -r -transitive. 

2.  R  D  R. 

3.  For  any  outputs -r -transitive  relation  iZ",  R^  D  R=^  iZ"  D  R, 

Transitions  from  state  P  to  state  Q  by  action  a  in  Output-^-r-closure  are  denoted  by  P  Q*  The 
predicate  P  is  true  when  there  is  at  least  one  transition  from  state  P  via  action  a  E  Act  UR. 
Output-(5-r-closure  models  time-and-tau-abstracted  output  actions;  i.e.,  the  closure  relation  has 
additional  output  transitions  when  they  occur  in  conjunction  with  time-passing  or  internal-actions. 
Input,  r,  and  6  actions  are  not  time-abstracted,  only  tau-abstracted.  Output-<J-r-closure  extends 
implementation  transition  relations  to  match  the  specification  output  behaviors,  but  it  does  not 
allow  the  timing  of  inputs,  J’s,  or  r’s  to  vary. 

In  addition  to  the  closures,  the  following  two  projections  are  defined.  They  are  subsets  of 
the  DLTS  transition  relation  — >.  They  define  the  sets  of  specification  and  implementation  time- 
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passing  actions  that  must  be  subsets  of  each  other’s  time  actions — i.e.,  the  transitions  leading 

to  r’s  and  inputs  or  r’s  and  outputs  respectively. 

Definition  26.  Input  Projection:  — 

—¥i  C  5  X  E  X  5  = 

(l.TTj))  I  {(ly7^i)yS,{l,Trj))  € — y  A3({/,7rfc),a,_)  G — >  [tti  <  tt*  AtTj  <  ;rjfe  A  o  G  ^ U  {r}]} 

Definition  27.  Output  Projection:  — ►o- 

— ►o  c  5  X  E  X  5  = 

{((^7ri),5,  (/,7rj»  1  ((/,7ri),J,(Z,7rj))  G— A3((/,7rjb),^,.)  G— >  [tt^  <  TTkAnj  <  nk  A  P  e  AU  {r}]} 

The  following  example  illustrates  projections.  If  X  X",  and  only  input  a  is 

possible  from  X',  then  X  X',  but  X  X'.  However,  if  X  X'  X",  then  X  --4^  X' 
and  X  -4^  X'. 

Next,  a  predicate  that  allows  implementation  outputs  to  have  tighter  upper-bounds  than 
specification  outputs  is  defined.  It  also  relaxes  the  superset  relationship  between  implementation 
and  specification  inputs  when  simultaneous  inputs  and  outputs  are  possible  from  the  same  location, 
i.e.,  output  timing  constraints  take  precedence  over  input  timing  constraints  when  they  conflict. 
This  is  reasonable,  because  when  the  implementation  must  perform  an  output,  it  causes  it  to 
happen.  After  that,  whether  or  not  the  implementation’s  input  behaviors  satisfy  the  specification’s 
is  determined  by  the  TLC  relation  of  the  post-output  to-locations. 

Definition  28.  Output-Bound:  oL  o6  :  5/  x  E  x  55  x  P{{Si  x  5s))  — ¥  {t,f}  = 

o6(/,  5, 5, 7?.)  ^ 
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(18) 


s 

I  A 

3  <5i  G  1,/'  e  5/,y8  G  {r}[/  /'  A  J'  A  A  (19) 

V  ^2  >  <5i ,  5'  G  55,  /"  G  5/[5  5'  =!►  ((/',  5')  G  A  (20) 

(/-^ /"=►(/",  5')  G7^))]]  (21) 

Conjunct  18  requires  that  the  implementation  cannot  do  (S.  Conjunct  19  requires  the  implemen¬ 
tation  system  to  be  constrained  by  a  location  invariant  to  produce  an  output  or  r.  Conjunct  20 
ensures  that  future  specification  actions  are  matched  by  the  implementation  at  the  time  it  produces 
the  output,  and  conjunct  21  specifies  that  there  are  no  other  future  implementation  locations  that 
do  not  also  match  the  specification’s  behavior  (bisimulation). 

Output-bound  allows  faster  implementation  outputs  in  TSA  locations  where  both  inputs  and 
outputs  are  possible.  For  example,  output-bound  allows  us  to  accept  an  And  with  output  delays 
in  [2,4]  as  an  implementation  of  an  And  specification  with  delays  [1,6].  Without  output-bound, 
only  the  lower  bound  of  a  delay  could  change,  and  in  this  example,  only  an  And  implementation 
with  an  upper  bound  of  6  would  satisfy  TLC.  Output-bound  formalizes  the  notion  that  as  long 
as  an  implementation’s  output  occurs  within  the  bounds  of  the  same  output  in  the  specification, 
it  can  occur  in  accordance  with  a  tighter  location  invariant  even  though  the  specification  could 
remain  in  its  location  longer  and  subsequently  accept  future  inputs.  Without  this  exception,  TLC 
generally  cannot  accept  implementations  with  less  output  variation  in  locations  where  otherwise 
unconstrained  inputs  are  also  possible.  Modeling  locations  with  both  inputs  and  outputs  possible 
is  important  for  accurate  modeling  of  real  systems  as  well  as  abstracting  behavior  into  simpler 
machines  with  fewer  locations. 
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4-4  Defining  Timed  Logic  Conformance 


Based  on  the  preceding  definitions,  the  partial  order  that  temporally  and  behaviorally  relaxes 
weak  timed  bisimnlation  is  defined  as  follows. 

Definition  29.  A  binary  relation  QSjxSs  over  DLTS  automata  states  is  a  timed  logic 
conformation  between  an  implementation  DLTS  {Si,Acti, — >i,{lo,'’^o)i)>  ond  specification  DLTS 
(SsfActs, — >5)  (^o,7ro)s),  iff 


V  (I,S)  G  CC\a  eA,fi  e  .4U  {r},(5  €  R  [ 

VS’  [S-^  S'  ^  3  T  [I  =^o  I'  A  (/',  S')  G  £C‘]]  A  (22) 

V  S'  [S-^  S'  =>  3  /'  [I  =4.  /'  A  (/',  S')  G  £C‘]]  A  (23) 

V  I'  [I  -^I'  AS^  3S'[S=^iS'A{I',S')eCC*]]A  (24) 

V  I'  [/  A  /'  =!►  3  S'  [S  =4i  S'  A  (/',  S')  G  £C*]]  A  (25) 

V  S'  [S  --*i  S'  =►  (3  r  [I  =4  I'  A  (/',  S')  G  £C‘]  V  obil,  S,  S,  £C‘))]  A  (26) 

VI'[I-XT  =►  3S' [S=4iS'A(7',S')G£C‘]]]  (27) 


Formulas  22  and  23  require  the  implementation  to  simulate  the  observable  behaviors  of  the 
specification.  The  implementation  has  considerable  freedom  for  matching  the  specification  via  the 
output-J-r-closure;  it  can  match  inputs  (a)  or  internal  specification  actions  {P  =  r)  while  doing 
its  own  internal  actions;  and  it  can  pass  time  and/or  execute  internal  actions  of  its  own  to  match 
specification  outputs  {P  ^r).  Formulas  24  and  25  require  the  specification  to  simulate  observable 
behaviors  of  the  implementation.  Formula  24  weakens  standard  weak  bisimulation  by  allowing 
implementations  with  irrelevant  inputs  (i.e.,  inputs  that  are  not  possible  from  specification  state 
S)  as  long  as  there  is  a  mapping  from  the  relevant  subset  of  the  implementation’s  state  space  to  the 
specification’s  state  space,  just  as  Stevens  formalized  without  timing  (Ste94).  Formula  25  requires 
the  specification  to  simulate  all  outputs  and  r’s  of  the  implementation.  Formula  26  ensures  that  all 


58 


specification  time  derivatives  leading  to  specification  inputs  or  r’s  (i.e.,  those  deltas  where  5  --■>*) 
are  simulated  by  the  implementation  with  output-bound  exceptions  allowed,  and  Formula  27  ensures 
that  all  implementation  time  derivatives  leading  to  implementation  outputs  or  r’s  (i.e.,  those  deltas 
where  I  are  simulated  by  the  specification. 

4^5  Timed  Logic  Conformance  Example 

TSA  X  and  Y  in  Figure  6  serve  to  illustrate  the  CC^  relation.  X  and  Y  are  annotated  with 
intervals  to  help  visualize  their  induced  DLTS’s. 


Imp  Spec 

Figure  6.  Simple  Y  o':^i  X  TSA. 

The  DLTS  automata  for  X  and  Y  have  uncountable  states,  but  the  intervals  annotated  in 
the  states  of  Figure  6  represent  the  value  of  the  clocks  x  and  y  in  X  and  Y  states  respectively.  The 
following  formulas  prove  that 

^  {{r„,X*>  |x,j,€E}U 

{(yi.Xl)  1  y  6  [0, 3)  A  {{x  6  [0, 1]  A  x  >  y)  V  (x  6  (1,4)  A  a:  <  y  +  1))}  U 
{(Xly,X2x)  I  y  e  [0,3)  Ax  e  [0,4)  Ax  <  y  +  1}  U 
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{(r2„,  XU)  1 2/  e  (0, 5]  A  a:  e  (1, 4)  A  X  <  y  +  1}  U 
{(r2j„X2*}  I  y  e  [0, 5]  A  X  e  [0, 6]  A  X  <  y  +  1} 

is  a  Timed  Logic  Conformation  and  that  (loi  -X^o)  €  £C‘.  Note  that  state-name  subscripts  represent 
the  timed  state  via  the  value  of  the  clock,  and  that  the  following  formulas  are  numbered  according 
to  the  corresponding  formula  number  in  Definition  29.  Also  note  that  formulas  not  shown  are 
vacuously  true  (e.g.,  specification  states  without  inputs  vacuously  satisfy  Formula  22). 

Relating  states  (Fy,  A'®)V  x,y  G  R 

(22)  [X^  ^  Xlo  =>  Fx  y lo  A  (Flo,  Xlo)  6  £C*] 

(24)  [(Fy  Flo  A  =^)  ^X^-^XloA  (Flo,  Xlo)  €  CC^] 

(26)  [Xx  --■»<  Xx+i  Fy  -4  Yy+S  A  (Fy+i ,  Xx+i)  G  £C‘] 

Observe  that  Y^s  location  0  need  not  be  associated  with  any  corresponding  location  in  X,  since 

c 

X  satisfies  Formula  24  implication  antecedent  vacuously.  If  location  0  had  derivatives,  it  would 
not  matter  that  location  0  is  not  related  to  derivative  locations  of  X;  they  are  unreachable  since 

a 

the  specification  declares  that  c  shall  not  occur.  Note  also  that  for  x  €  [0,2),Xa.  satisfies 
Formula  24  vacuously,  allowing  (y^,Xx)  to  remain  in 

Note  however,  LC^  would  be  reduced  to  0  if  F  A  0  instead  of  F  A  0  because  ^{^X  0 

falsifies  Formula  25,  removing  {{Yy,  Xx)  |  x,  2/  G  E}  from  Without  {(F^ ,  Xa;}  |  x,  2/  G  M}  C 
(F2y,X2a;),  {Fly,X2aj),  (F2y,Xla;),  (Fly,Xla;),  cannot  be  in  £C*  either,  because  the  formulas 
require  the  to-locations  to  be  in  the  relation,  so  CC^  =  0. 

Relating  states  (FI,  X1)V  y  G  [0, 3)  A  ((a:  G  [0, 1]  A  a;  >  2/)  V  (x  G  (1, 4)  A  x  <  2/  +  1)) 

(23)  V*e[o,4).y6[o,3)  [x  <  y  +  1 A  XI*  -4  X2»  =»  Fly  F2y  A  (F2y,  X2*)  G  £C‘] 
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(25)  Vj,g[o^3),®€(i,4)  ^  y  +  1 A  Y\y  y  Y2y  =>•  Xlx  — X2x  A  {Y2y,X2x)  S 

(25)  Vj,g[o,3),a;g[o,i]  [ic  >  y  A  Fly  7^] 

(26)  Vig(o,4),ye[o,3),«eR  [(*  >  y  V  x  <  j/  +  1)  A  A^la:  --*i  Xlx+s  => 

(yiy  yiy+i  A  (riy+«,xu+4)  g  £c‘)  v  ob(Yiy,s,xix,cc^)] 

(27)  Vy£[0,3),X€[0,l].^GR  [iC  >  y  A  Y\y  >•  yiy^.^  ^  Xlj;  I'f  X  Ix+g  A  (K  ly+4,  Ij;^.^)  G 

(27)  Vyg[o,3),a;e[o,4),4eR  [(x  >  V  X  <  J/  +  1)  A  yiy 

=4>i  xix+4  A  (yiy+4,xi^+4)  G  £C‘] 

If  yi  -^’s  guard  were  y>l  then  Formula  25  would  be  false  at  time  x  =  j/  =  1  for  implementation 
transitions  yii  Y2i  because  (y2i,Xli)  ^  £C‘  and  there  is  no  Xli  =^i  X2i  transition  in 
X.  This  would  mean  that  Formula  27  is  also  false  for  Fly  Yl2,y  G  [0, 1],(5  =  1  -  j/  be¬ 
cause  (yii,Xli)  ^  £C‘.  This  removes  (yiy.Xli)  from  £C‘.  Consequently  {Yy,Xx),  {Y2y,X2x), 
{Yly,X2x},  (y2y,  Jfli),  and  the  remaining  (yiy.Xli),  cannot  be  in  £C‘  either,  so  £C‘  =  0. 

Relating  states  (Fly,  X2x)  |  y  6  [0, 3)  A  x  G  [0, 4)  A  x  <  y  -I- 1 

(23)  [X2x  -^Xx^  Fly  =4o  Fy  A  (Fy,  Xx)  €  ££*] 

(25)  [Fly  -4  F2y  =;►  X2x  =^i  X2x  A  (F2y,  X2x)  €  £C‘] 

(27)  V^gR  \Y^y  "^o  ^ly+<5  ^  X2x  - 'fi  X2x+S  A  (Fly+4,  j\r2a;-|-4}  G  £C*] 

Relating  states  (F2y,  Xli)V  y  G  (0, 5]  A  x  G  (1, 4)  A  x  <  y  -|- 1 

(23) 

(25) 

(27) 


[Xlx  -4  X2x  =»  F2y  F2y  A  (F2y,X2j)  G  £C‘] 

[F2y  A  Fy  =?►  XI*  =4i  X*  A  (Fy,X*>  G  £C‘] 

[^2y  *0  Y2y+i  XI*  =^j  Xl*+4  A  (F2y+5,Xl*+4)  G  £C*] 


61 


Relating  states  {Y2yy  X2x)^  2/  €  [0, 5]  A  x  G  [0, 6]  A  x  <  +  1 


(23)  [A'2x  X,  =►  Y2y  -^YyA  {Yy,X^)  €  CC*] 

(25)  [Y2y  -^Yy^  X2x  X*  A  {Yy,  X*)  6  CC*] 

(27)  VieR  [Y2y  -4,  r2j,+i  =^>  X2:,  =4i  X2x+i  A  (r2j,+5,X2x+i)  G  £C‘] 

Comparing  TLC  to  Other  Relations 

Theoretically,  TLC’s  relationship  with  other  formal  equivalence,  partial  order,  and  refine¬ 
ment  relations  like  TCCS’s  weak  timed  bisimulation,  CTR,  and  timed  simulation  is  important  to 
understand.  Since  TLC  is  asymmetrically  defined  over  a  diflFerent  formalism,  comparing  them  is 
not  generally  rigorously  possible.  One  can  see  that  TLC  is  weaker  than  TCCS  weak  timed  bisim¬ 
ulation  because  TLC  ignores  temporal  differences  between  actions.  TLC  is  not  comparable  in  a 
formal  sense  to  CTR’s  refinement  relation  because  they  formalize  the  relationship  between  imple¬ 
mentation  and  specification  inputs  in  opposite  directions;  i.e.,  for  CTR  agents  X  =  a.[l,  S\,b.X  and 
Y  =  a.[2,4].6.F  Y  <  X  and  X  ^  F,  but  the  opposite  is  true  for  TLC:  X  Y  and  Y  X. 
Comparing  timed  simulation  to  TLC  raises  similar  issues.  The  fact  that  TLC  allows  constrained 
inputs  that  violate  timed  simulation’s  nonblocking  requirement  makes  TLC  weaker  than  timed  sim¬ 
ulation  in  that  situation.  However,  when  used  on  models  that  define  all  inputs  in  all  states  for  all 
times,  TLC  is  stronger  in  the  sense  that  it  requires  the  set  of  output  variables  of  the  two  processes 
to  be  the  same,  while  timed  simulation  does  not.  Other  than  saying  “TLC  is  weaker  than  weak 
timed  bisimulation,”  about  all  that  can  be  said  is  “TLC  is  different  from  the  rest.” 

4^7  Properties  of  Timed  Logic  Conformance 

In  the  interest  of  applying  TLC  to  a  hierarchical  design  process,  it  must  be  shown  to  show  that 
CC^  induces  a  partially  ordered  binary  relation  (reflexive,  antisymmetric,  and  transitive)  over  the 
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set  of  DLTS  automata  induced  from  the  set  of  TSA.  Reflexivity  is  an  important  property  for  design 
purposes,  because  it  must  always  be  possible  to  substitute  a  component  for  itself.  Antisymmetry 
is  likewise  important  because  models  that  can  be  substituted  for  each  other  are  “equivalent”  or 
the  same.  Transitivity  is  the  property  that  guarantees  hierarchical  verification  of  the  relation. 
Unfortunately,  without  restricting  TSA  modeling,  TLC  is  not  transitive  over  the  induced  DLTS. 
The  following  TSA  modeling  constraints  are  required  to  preserve  transitivity: 

Definition  30.  TSA  Modeling  Constraints. 

1.  A  location  has  a  location  invariant  iff  it  has  one  or  more  output  or  r  transitions  from  it.  This 
is  similar  to  TCCS^s  persistence  property,  but  only  for  outputs  andr^s. 

2.  No  initial  location  has  an  invariant  (all  initial  locations  are  stable).  Hence,  all  TSA  must 
receive  at  least  one  input  before  generating  an  output. 

3.  No  output  or  r  transition  is  guarded  by  an  upper-bound  stronger  than  the  from-location  in¬ 
variant. 

4.  No  to-location  of  a  transition  has  a  stronger  location  invariant  than  the  from-location  unless 
the  clocks  involved  in  the  strengthened  invariants  are  reset. 

These  are  reasonable  modeling  constraints— especially  for  the  hardware  domain  where  devices  con¬ 
trol  the  timing  of  their  outputs  but  not  their  inputs.  The  constraints  strengthen  the  causal  rela¬ 
tionship  of  the  models  and  their  outputs  and  they  increase  the  fidelity  between  the  models  and  the 
physical  devices  they  represent.  The  first  modeling  constraint  increases  fidelity  because  devices  that 
are  not  broken  cannot  take  an  indefinite  amount  of  time  to  produce  an  output.  It  also  prohibits 
the  situation  where  a  receiving  device  “forces”  an  input  to  occur  by  an  expiring  location  invariant. 
Note  that  a  model  can  still  place  an  upper-bound  on  an  input,  but  the  upper-bound  constraint 
for  inputs  may  only  be  expressed  by  a  guard,  not  a  location  invariant.  Hence  an  upper-bounded 
input  guard  can  disable  the  input,  but  it  cannot  cause  the  input  to  occur.  The  second  modeling 
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constraint  increases  fidelity  by  modeling  the  situation  where  all  circuits  must  have  logic  that  ini¬ 
tializes  them  to  a  known  state  to  be  able  to  rely  on  the  correct  function  of  the  device.  Devices  like 
clocks  are  modeled  by  an  initial  state  with  a  reset  input  transition  before  repeatedly  toggling  the 
clock  output.  The  third  and  fourth  modeling  constraints  avoid  locations  that  prohibit  the  passing 
of  time  (i.e.,  locations  that  make  the  TSA  Zeno).  Constraints  3  and  4  prohibit  Zeno  locations  with 
no  enabled  transition  as  the  location  invariant  expires. 

Since  parallel  composition  rules  Com2  and  Com3  relate  inputs  and  outputs  together,  tighter 
inputting  component  constraints  can  adversely  constrain  outputting  component  timing  and  violate 
the  fourth  modeling  constraint.  To  ensure  that  compositions  continue  to  satisfy  the  modeling 
constraints  and  that  TLC  is  transitive  for  compositions,  a  condition  on  compositions  that  specifies 
the  necessary  timing  relationship  between  inputting  and  outputting  components  must  be  imposed. 

A  parallel  composition  with  an  output  offered  in  a  non-accepting  location  is  a  design  error 
called  computation  interference  (Cl).  The  following  property  excludes  Cl  from  compositions. 

Definition  31.  Cl-free  Parallel  Composition. 

1,  All  non-parallel  TSA  and  their  induced  DLTS  are  Cl-free. 

2.  The  n-parallel  TSA  Tp  =  ({/oi,poi)j{^o2jPo2)j“*)(^On>Pon))j' — CL'^d  its  in¬ 

duced  DLTS  automaton  V  =  (5p,  Actp,  — ((/oi,5i), (/o2,52), •  * • ,  {^On,0n)>>,  are  Cl-free  over 
location: state  space  L:  S  L  C  Cp,  S  C  Sp  when: 

V  {{ll,Pll),{h,Pl2),---,{ln,Pln)}  :  S  L:  S[ 

V  {U,  Pi  i)  (/J,  p\ .) [(ifj  €  Pi  A  TTi  €  ,•  A  ni[T]i  :=  0]  £  p{  j)  =»  (28) 

V  1  <  j  <  n[{j  ^  i  A  a  €  Aj)  ^ 

3  {lj,Pij)  {lj,Pij)[nj  6  pjAnj  6  pijMvjlnj  :=  0]  6  p{^]]]  A 

V  ih, 7?i)  (/', f^), l<j<n\j^i^B  =Uj  (Z;., jfj}]]  (29) 


64 


In  words,  a  composition  is  Cl-free  when  all  composition  receivers  accept  every  output  offered  by 
transmitters  in  the  composition’s  reachable  state  space  (Formula  28)  and  no  agent  in  the  compo¬ 
sition  prohibits  the  passing  of  time  until  an  output  occurs  (Formula  29).  All  non-parallel  TSA 
are  Cl-free  by  definition.  A  top-level  parallel-composed  specification  must  be  Cl-free  over  its  own 
reachable  state  space. 

With  the  modeling  constraints  and  the  Cl-free  property,  the  TLC  partial-order  properties 
can  be  established.  For  the  purposes  of  the  following  proofs  and  definitions,  assume  that  each 
subscripted  £C*  relation  IIC\  C  5/  x  5^  is  a  timed  logic  conformation  according  to  Def.  29. 

Lemma  2  The  relation 

Id={{x,x)\xeS}  (30) 


is  a  timed  logic  conformation. 

Proof 

Given  any  DLTS  Automaton  (5,  Act,  — sq),P  E  E  Act  U  E,  every  transition  P  P'  6 — > 
can  be  matched  by  itself  in  the  superset  transition  relations  P  P',  and  P  =^o  P';  and  for 
P  -4  F'  €— >  since  P  ^  P'  ^  {P P P'  P')  ^  {P  P  ^  P' =U  P')  ^  P  =U 
P'  P  P',  r-closure  ensures  P  =^i  P',  and  P  =^o  P^  therefore,  (P,  P)  £  Id  ^  {P  =^i 
P'  A  P  =^o  P'  A  (P',  P')  €  Id)  therefore  Formulas  22  through  27  are  satisfied  and  Id  is  a  timed 
logic  conformation.  □ 

Lemma  3  The  composition  relation 

CC\CCi  =  {(p,  r)  I  (p,  g>  €  CC{  A  {q,  r)  G  IX\}  (31) 

is  a  timed  logic  conformation. 

Proof 
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The  proof  proceeds  by  assuming  that  (P,  R)  e  IX\IX\  and  showing  that  for  all  possible 
actions  that  must  be  matched  in  each  of  the  Formulas  22  through  27  in  Def.  29,  the  actions  are 
matched  across  the  composition  and  {P',R')  €  CjC,\[X\. 

1.  Formulas  22  and  23:  Since  C,C\  is  a  logic  conformation,  according  to  Formulas  22  and  23, 
every  a  6  Act,  R'  €  Sr,  R  R'  is  matched  by  some  Q'  such  that  Q  =^o  Q'MQ',  R')  G  CC2- 

Since  Q  =^o  Q'  is  not  Q  Q',  a  Lemma  of  the  following  form  is  needed: 

V  a  e  Act[{{P,  Q)  G  CC\  AQ=^o  Q')  ^  (P  =4,  P'  A  (P', Q')  6  CjC\)] 

The  proof  of  this  is  deferred  to  Lemma  4.  Applying  Lemma  4,  Q  =^o  Q'  ^  P  =^o  P'  A 
(P',  Q')  G  CC\  and  by  the  definition  of  the  composition  relation  {P',R’)  G  /X\CC\. 

2.  Formula  24:  Since  CC\  is  a  logic  conformation,  according  to  Formula  24,  V  a  G  A,P'  G 
5p[P  P'  A  Q  is  matched  by  some  Q'  such  that  Q  Q'  A  {P',Q')  €  CC\\.  Since 
Q  =^i  Q'  is  not  Q  Q',  a  Lemma  of  the  following  form  is  needed: 

V  a  G  A[{{Q,  R)eCClAR=^  AQ  =^i  Q')  (P  =^i  R'  A  {Q',  R!)  G  CC\)] 

The  proof  of  this  is  deferred  to  Lemma  5. 

(a)  R^-.  Applying  Lemma  5  implies  R  =^i  R'  A  {Q',  R'}  G  CC^,  and  by  the  definition  of 
the  composition  relation  (P',R')  G  IX\CjC\. 

OL 

(b)  R  R  need  not  match  Q’s  a  and  {P',  R')  is  not  required  in  IX\lX\. 

3.  Formula  25:  Since  is  a  logic  conformation,  according  to  Formula  25,  V  jd  G  34  U  {r},  P'  G 
5p[P  P'  is  matched  by  some  Q’  such  that  Q  Q'  A  (P',  Q')  G  CC\].  Since  Q  =^i  Q' 
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is  not  Q  Q',  a  Lemma  of  the  following  form  is  needed: 

V  ^  e  :4U  {r}[«g,/?)  e  CCi  A  Q  =li  Q')  {R  J>i  R!  ^  {Q',R')  e  CC\)] 

The  proof  of  this  is  deferred  to  Lemma  6.  Applying  Lemma  6  implies  R  R!  A  {Q',  R')  € 
CC\,  and  by  the  definition  of  the  composition  relation  {P',R')  €  CCiCC^. 

4.  Formula  26:  Since  is  a  logic  conformation,  according  to  Formula  26,  every  S  6  R,R'  e  Sr, 
R  --*{  R'  is  matched  by  some  Q'  such  that  Q  =Uo  Q'  A  {Q',R')  E  CjC\  or  the  predicate 
ob{Q,8,R,CC\)  is  true. 

(a)  Q  =^o  Q'  A  (Q',  R')  E  Since  Q  =4b  Q'  is  not  Q  Q',  a  Lemma  of  the  following 
form  is  needed: 

VJ€E  [(Q=40'A3a€A[Q'=^o])=!> 

(P  =4,  P'  A  (P',  Q')  E  CC{  V  obiP,  S,  Q,  CC\))] 

The  proof  of  this  is  deferred  to  Lemma  7.  Applying  Lemma  7,  3  a  €  A[Q'  =^o]>  because 
Def.  26  requires  that  R'  =^o)  and  Q'  must  match  P's  future  inputs,  so  (Q  =4  Q') 

((P  =4  P'  A  (P',  Q')  E  CC{)  V  ob{P,  5,  Q,  C£\)). 

i-  P  =4  P'A{P',Q')  E  CC\:  By  the  definition  of  the  composition,  {P',R')  E  IX\C.C\. 

iL  Q,£Ci):  Then  ob{P,S^R^CC{CC2)  Def.  28  and  the  definition  of  the 

composition. 

(b)  ob{QySyR^CC2)‘  ^om  Def.  28,  for  some  Si  <  S,  Q  =^o  Q',  and  Formula  26  implies 
(P  =4,  P'  A  (P', Q')  E  CC\)  V o6(P, SuQ, CC\). 

L  P  =4,  P'  A  {P',Q')  E  CC\\  Since  Sy  <  5  and  P'  conforms  to  every  Q'  reached  by 
every  5  >  Sy  and  those  Q'  logically  conform  to  every  R'  reached  by  those  same  6, 
ob{P,  5,  R,  CClCC^)  holds  by  Def.  28  and  the  definition  of  the  composition. 
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ii.  oh{P,5i,Q,CC{)-.  Since  5  >  Ji,  it  is  true  that  ob{P,5,R,CC\CC\)  from  Def.  28  and 
the  definition  of  the  composition. 

5.  Formula  27:  Since  CC\  is  a  logic  conformation,  according  to  Formula  27,  V  G  K,P'  e 
SpIP  -4o  P'  is  matched  by  some  Q'  such  that  Q=UiQ'  A  {P',  Q')  e  CjC\\.  Since  Q  =4i  Q' 
is  not  Q  —• ►o  Q',  a  Lemma  of  the  following  form  is  needed: 

V  5  G  t[((Q,  P)  G  rc*  A  Q  Q'  A  3  /?  G  Ai^{T}[Q'  =4^])  ^  {R  =4^  R'  A  {Q',  R')  G  CC\)] 

The  proof  of  this  is  deferred  to  Lemma  8.  Since  Q  is  required  to  match  the  outputs  of  P,  it  is 
true  that  3  ^  G  .4U  {t}[<5'  =4j],  and  applying  Lemma  8  implies  R  =4i  R'  A  (Q',R')  G  CC2, 
and  by  the  definition  of  the  composition  relation  {P',R')  G  C.C\(X\.  □ 

Lemma  4  Given  that  CC*  is  a  timed  logic  conformance: 

V  <r  G  Act[i{I, S)  £jCC^  AS  =4>  S')  ^  (/  =4,  /'  A  {/', S')  G  £C*)] 


Proof 

1.  Case  S{ — — )■  (Def.  25,  first  disjunct); 

Since  is  a  timed  logic  conformation,  according  to  Formula  23,  every  5  51  is 

matched  by  some  P  such  that  /  =4,  A  {I\S^)  G  £C‘.  This  is  true  inductively  for  more 
T  Et*  and  •  •  •  5"*  and  •  •  •  /”*  according  to  Formula  23. 

According  to  Formulas  22  and  23,  S”^  5”  is  matched  by  some  7"  such  that  /"*  =4 

jn  ^  g  gm  gn  jg  gn^  Formula  26  applies,  and  since  every 

DLTS  state  has  a  =  0  transition  by  definition,  7™  =4  7”  A  (7",  S'")  G  CCK 

Finally,  by  Formula  23  any  sequence  of  r’s  in  S"  -4  S'  is  matched  by  7"  7'  A  (7',  S')  G 

CCK  And,  by  Def.  25,  (7  4b  7"*  =4,  7"  =4  7')  7  =4  7' 
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2.  Case  S  — ^  5”*  5”  — ^  S*  A  ct  G  «4, 51,^2  €  ®  (Def.  25,  third  disjunct): 

(a)  I  Jk-o: 

i-  S  --*i  5"*:  Since  CC^  is  a  timed  logic  conformation,  according  to  Formula  26, 
S  --*i  5”*  is  matched  by  some  /”*  such  that  I  =^o  /”*  A  S’")  G  Since 
(/'",S'")  G  £C*  A  S’"  S",  Formulas  22  and  23  require  some  /"  such  that 

7"*  =4o7"A(7",S")  g£C‘. 

A.  7"  =^<,: 

Case  S"  S':  Since  is  a  timed  logic  conformation,  according  to  For¬ 
mula  26,  S"  --ij  S'  is  matched  by  some  7'  such  that  7"  =^o  7'  A  {7',  S')  G  £C‘. 
And  (7  7’"  7"  =%  7')  =!►  7  =4o  7'  by  Def.  25. 

<52 

Case  S"  /-♦i  S':  7"  need  not  match  S"’s  S2  and  (7',  S')  is  not  required  in  £C*. 

/"  7^0,  {o5(7",  J2)5'",£C*)  holds):  Since  £C*  is  a  timed  logic  conformation, 
according  to  Formula  26,  and  Def.  28,  3  7'  G  81,62  G  M[7"  =^o  7'  A  S" 

S'  (I\  S')  G  £C‘]  And  (7  7’"  =4>  /"  =4,  /')  ^  I  I'  by  Def.  25. 

ii.  S  /-»i  S’"  then  7  need  not  match  S’s  <5i  and  (7’",  S’")  is  not  required  in  £C‘. 

(b)  7  5A^o>  (o6(7,(5i,S,£C‘)  holds):  Since  £C‘  is  a  timed  logic  conformation,  according  to 
Formula  26,  and  the  Def.  28,  3  7’”  G  S/,  JJ  G  IR[7  4,  7’"  A  S  S’"  =»  (7’",  S’")  G 
£C‘].  Since  (7’",  S’")  G  £C‘  AS’"  S",  Formulas  22  and  23  require  some  7"  such  that 
7’"r4s,/"A(7",S")  g£C‘. 

i.  /"  =4: 

A.  S"  — +i  S':  Since  £C‘  is  a  timed  logic  conformation,  according  to  Formula  26, 

S"  --4i  S'  is  matched  by  some  7'  such  that  /"  =4  I'  A  (/',  S')  G  £C*.  And 
(7  =4  7’"  =4  /"  =4  /')  1=^0  I'  by  Def.  25. 

<52 

B.  S':  need  not  match  62  and  (/',5')  is  not  required  in  CC^. 
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52 

ii.  /"  5^0,  {ob{I’^,62,S^,CC‘)  holds):  Since  £C‘  is  a  timed  logic  conformation,  accord¬ 
ing  to  Formula  26,  and  the  Def.  28,  3  /'  G  SijS^  €  E[/'*  =^o  I'  A  5"  S' 

(/',  5')  €  £C*]  And  (/  =4  /"»  =4  /"  A  /')  =!►  /  =4  /'  by  Def.  25.n 

Lemma  5  Given  that  CC^  is  a  timed  logic  conformance: 

V  ae  A,  I' e  5/[«/,  5)  G  £C‘  A  5  =4  A/  =4i  /')  3  5'  G  5s[5  =^i  S'  A  {/',  5')  G  £C‘]] 


Proof 

1-  !{  >■)*/’”  ►  /"( — >)*!'  (from  Def.  24,  first  disjunct):  Since  CC^  is  a  timed  logic  con¬ 

formation,  according  to  Formula  25,  every  /S  7  /Ms  matched  by  some  5^  such  that 
S  =^i  5^  A  {/\5^)  G  CC*.  This  is  true  inductively  for  more  t  e  t*  and  and 

5^  •  •  •  5"*  according  to  Formula  25.  According  to  Formula  24,  /”*  7"  is  matched  by 

some  5"  such  that  S"*  =^i  5”  A  (7”,  5")  g  £C‘.  And  finally,  by  Formula  25  any  se¬ 
quence  of  r’s  in  7"  -A  7'  is  matched  by  5"  5'  A  (7',5')  G  £C‘.  And,  by  Def.  24, 

(5  5”*  5"  S')  5  =4i  5'. 

2-  7  —4  7”*  — ^  7"  7'  A  a  G  A,(5i,  J2  €  R  (Def.  24,  third  disjunct): 

(a)  7  --io  7”*:  According  to  Formula  27,  7  --Xo  Z*"  is  matched  by  some  5”*  such  that 

■S'  — 5”*  A  (7"*,  S”*)  G  £C*.  Since  (7”*,  S'")  G  £C*  A  7'"  7",  Formula  24  requires 

some  S"  such  that  S’"  =^i  S"  A  (7",S")  G  CCK 

b  ■■♦o  According  to  Formula  27,  I"*  — ♦<,  7'  is  matched  by  some  S'  such  that 
S"  =4i  S'  A  (7',  S')  G  CCK  Finally,  by  Def.  24,  (S  S’"  S"  =4<  S') 
S=4fS' 

ii,  /--fo  5*^  is  not  required  to  match  S2  and  is  not  required  in  CC^, 

(b)  I  /-• >0  S  is  not  required  to  match  and  is  not  required  in  CC^,  □ 
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Lemma  6  Given  that  CC^  is  a  timed  logic  conformance: 


{r}[((7,  S)  €CC*M  I')  =!>  (S  =4<  S'  A  (/',  S')  G  £C‘)] 

Proof 

Prom  Def.  24,  first  disjunct:  7”(-4)*/'.  Since  is  a  timed  logic  confor¬ 

mation,  according  to  Formula  25,  every  7\  7  7Ms  matched  by  some  S^  such  that  S 
5^  A  (7^ , 5^)  G  £C‘.  This  is  true  inductively  for  more  r  G  t*  and  7^  •  •  •  7”*  and  S^  ■•■S'^  according 
to  Formula  25.  According  to  Formula  25,  7"*  7"  is  matched  by  some  5”  such  that  5™  =4i 

5"  A  (7",  5")  G  CCK  When  =  r,  ,0  =  0,  7"^  A  7",  m  =  n,  so.  S’"  =^i  S"  A  (7',  S')  G  £C‘.  And 
finally,  by  Formula  25  any  sequence  of  r’s  in  7"  7'  is  matched  by  S"  S'  A  (7',  S')  G  £C‘. 

And,  by  Def.  24,  (S  =^i  S'"  =4i  S"  S')  S  =i<  S'.  □ 

Lemma  7  Given  that  CC'  is  a  timed  logic  conformance: 

V  <5  G  1[({7,  S)  G  £C‘  A  S  A  5'  A  3  a  G  >1[S'  ^o])  (7  =4  7'  A  <7',  S')  G  CC^  V o6(7,  <5,  S,  CC^))] 

Proof 

1.  Case  (Def.  25,  first  disjunct): 

Since  CC^  is  a  timed  logic  conformation,  according  to  Formula  23,  every  5^  S  is 

matched  by  some  such  that  I  A  G  CCK  This  is  true  inductively  for  more 

T  £  T*  and  5^  •  •  •  5^  and  -  according  to  Formula  23,  so  I  =^o  A  (7"^, S^)  £  CC^. 

Since  3  a  G  .4[S'  =^o].  S’"  -4  S"  =►  S’"  --n  S"  by  Def.  26,  and  3  7"  G  S/  such  that 
7’"  =^o  7"  A  (7",  S")  G  CC'  V  o6(7,  <5,  S,  jCC*)  according  to  Formula  26. 
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(a)  /”*  =4-0 :  Then  7*"  =^o  7"  A  (7”,  5")  €  by  Formula  26,  and  by  Formula  23  any 

sequence  of  t’s  in  5"  S'  is  matched  by  7"  7'  A  (7',  5')  e  £C‘.  And,  by  Def.  25, 

(7  7”‘  =4,  7"  =4  7') 

(b)  7"*  A: 

i-  3i£{o...m}[7‘  =^o  7']:  Then  P  is  another  7”*  and  case  7"*  =4-o  (above)  applies, 
i*-  Aefo..  .m  }[7*=4,]:  ThenVie{o.  ..m  y[ob{P,S,S',CC^)],  and  in  particular  according  to 

Def.  28  ob{I,5,S,£C^)- 

2.  Case  S  S'  A  81,62  €  M.  A  S  =  Si  +  62  (Def.  25,  second  disjunct): 

(a)  7  =4:  Since  3  a  6  .4[5'  =4])  S  S'™  5  --+»  S"  by  Def.  26.  Since  is  a  timed 

logic  conformation,  according  to  Formula  26,  S  --Vj  S™  is  matched  by  some  7™  such 
that  7  4>  7™  A  (7™,S™)  e  £C‘.  Since  (7™,S™)  €  rc‘,  by  Formula  23,  any  sequence 
of  r’s  in  S"'  is  matched  by  A  {/”,  5”)  G  >CC^ 

i.  7"  =4,:  Since  3  a  G  A[S'  =4],  S"  S'  =i^  S"  S'  by  Def.  26.  Since 
CC*  is  a  timed  logic  conformation  and  (7",S")  €  CC\  according  to  Formula  26, 
S"  --4  j  S'  is  matched  by  some  7'  such  that  7"  =4  7'  A  (7',  S')  G  And, 
7  =4  7™  =4  7”  4b  P  =>  I  =4)  7'  by  Def.  25. 

ii.  7"  (o6(7”,(J2,S”,£C')  holds):  Since  is  a  timed  logic  conformation,  accord¬ 

ing  to  Formula  26,  and  the  Def.  28,  3  7'  G  S/.rfj  €  E[7"  =4  7'  A  S"  -4  S' 

(7',  S')  G  £C‘] 

A.  3ie{»n...n}[^*  ^0  7']:Then  P  is  another  7"  and  case  7"  4b  (above)  applies. 

B-  Ae{m...n}[7*  4o]:  Then  ^ie{m..,n}[ob{I\S2y , CC^)],  and  in  particular  ac¬ 
cording  to  Def.  28  o6(/”^,(S2,  The  modeling  constraints  imposed  in 

Definition  30  on  page  63  ensure  that  all  I  ^  transitions  are  derived  from  a  lo- 

*  •  1  . 

cation  with  a  monotonically  stronger  invariant  than  7™,  so  since  7™  4b  there 
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6  ^ 
can  be  no  I  =>„  such  that  +  <52-  Therefore  I  ^=^0  for  <5  =  <5i  +  J2,  and 

6b{I,5,S,CjC^)  holds. 

(b)  I  {ob{I,5i,S,CC*)  holds):  By  Def.  28,  6  >  Si  =t^  obiI,6,  S,CC^)  □ 

Lemma  8  Given  that  CC*'  is  a  timed  logic  conformance: 

VSe  E[((/,  S)eCC^Al=AiI'A3P£A(J  ^i])  =^-  (5  =4i  S'  A  {/',  S')  €  £C‘)] 


Proof 

1.  Case  -4  r{-^)*r  (Def.  24,  first  disjunct): 

Since  CC^  is  a  timed  logic  conformation,  according  to  Formula  25,  every  I  is 

matched  by  some  5^  such  that  5  =^i  A  G  £C^  This  is  true  inductively  for  more 

T  e  T*  and  •  I'”  and  5^  •  •  •  according  to  Formula  25.  Since  3  0  e  AU  {t}[J'  =^i], 

it  is  true  that  by  Def.  27.  According  to  Formula  27,  is  matched  by 

some  such  that  5^  =4**  A  (/”,  5”)  G  £C^  And  finally,  by  Formula  25  any  sequence  of 
r’s  in  r  is  matched  by  5'  A  {J',5')  G  And,  by  Def.  24,  (S  =^t  5”^ 

5^  5')  5  5'. 

2.  Case  I  /0(-L>)*7n  /'  A  Ji,(J2  G  K  A  <5  =  Ji  +  (52  (Def.  24,  second  disjunct): 

Since  3  /?  G  ^4  U  {t}[/'  =>^1],  it  is  true  that  I  -->0  by  Def.  27.  Since  CC^  is  a  timed  logic 
conformation,  according  to  Formula  27,  every  I  7®  is  matched  by  some  5®  such  that 
S  =^i  5®  A  (7°,  5°)  G  According  to  Formula  25,  every  7^,  7®  7^  is  matched  by 

some  such  that  5®  5^  A  (7^,5^)  G  CC^.  This  is  true  inductively  for  more  t  E  r*  and 

and  5^  •  •  •  5”  according  to  Formula  25.  Since  3  ^  E  AU  {r}[7'  =^i],  it  is  true  that 
7”  ““^o  7'  by  Def.  27.  According  to  Formula  27,  is  matched  by  some  5'  such  that 

5”  =4i  5'  A  (7',  5')  G  £C^  And,  by  Def.  24,  (5  5^  5')  =^5=4*  5'.  □ 
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Lemma  8  finally  establishes  that  the  composition  of  two  timed  logic  conformances  CC\C£\  is  a 
timed  logic  conformance. 

Lemma  9  Given  a  timed  logic  conformation  CC*,  if  its  inverse  is  also  a  timed  logic  confor¬ 

mation,  then  is  a  weak  timed  bisimulation. 

Proof 

The  proof  is  structured  over  the  formulas  defining  deriving  the  formulas  defining  a  weak 
timed  bisimulation  when  the  CC^  formulas  hold  in  both  directions. 

1.  Formula  22;  Conjuncting  Formulas  22  and  24  together  and  reversing  the  roles  of  S  and  I  in 
the  transition  predicates  of  Formula  24  yields 

V5'[5-A5'  =►  31'  A{I',S')£CC^]]A 

V  5' [5^  S' A  7=^  3I'[I=^iI'A{I',S')eCC^]] 

Since  I  I',  and  a  ^  A,  the  third  disjunct  of  Def.  25  does  not  apply,  so  I  I'  I 
resulting  in 

V  S'  [S  S'  =i>  3  1'  [I  I'  A  (/',  S')  G  £C‘]]  A 

V  S'  [S  S'  3  1'  [I  I'  A  {I',S')  €  CC*]] 

Combining  implications  results  in 

V  S'  [S  S'  3  7'  [7  7'  A  7  =^i  7'  A  (7',  S')  G  £C‘]] 
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And  since  ^  a  G  Act[a  G  w4  A  a  G  ^],  only  the  first  two  disjuncts  of  both  Definitions  24 
and  25  are  consistent  with  each  other,  and  they  equal  the  definition  of  r-closure  (Def.  20), 

V5'[5-245'  3J'[/^/'A(7',5')g£C‘]] 

2.  Formula  23:  Conjuncting  Formulas  23  and  25  and  reversing  the  roles  of  5  and  7  in  Formula  25 
transition  predicates  yields 

MS'[S-^S'  ^  3  7'[7A7'A<7',5'>e£C‘]]A 
V5'[5A5'  3  7'[7=4.-7'a(7',5')g£C‘]] 

which  by  a  subset  of  the  a-case  reasoning  simplifies  to 

VS' [5  A  5'  3  7'[7=47'A(7',S')GrC‘]] 


3.  Formula  26:  Conjuncting  Formulas  26  and  27  and  reversing  the  roles  of  S  and  7  in  Formula  27 
yields 


V  S'  [S  --*i  S'  (3  7'  [7  =4,,  7'  A  {7',  S')  G  £C‘]  V  o6(7, <5,  S,  £C‘))]  A 

VS'[S-4„S'  3  7'[7=4i/'A(7',S')G£C‘]] 

Since  5  transitions  are  added  to  all  three  extended  transition  relations  in  the  same  way 
^  =  ==^o  the  consequents  of  the  implications  can  be  changed  as  follows: 

V  S'  [S  --*i  S'  =J-  (3  7'  [I  =u  I'  A  {!',  S')  G  CC*]  V  ob{I,  S,  S,  CC*))]  A 

VS'[S-4„5'  3  7' [7=47'A(7',S')g£C‘]] 
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In  order  to  unite  the  antecedents,  Table  4  reports  all  possible  combinations  of  truth  values 
for  the  three  clauses  under  the  assumptions  that  and  are  both  logic  conformations 
and  that  (I, S)^Ce*  AS -U  S' 


Table  4.  Delta  Predicate  TVuth  Table. 


ob{I,S,S,CC^) 

Conclusion 

0 

0 

0 

0 

1 

*See  case  0X1. 

0 

1 

0 

0 

1 

1 

*See  case  0X1 

1 

0 

0 

1 

0 

1 

*See  case  1X1. 

1 

1 

0 

1 

1 

1 

*See  case  1X1. 

*  Contradiction,  impossible  case. 

s  s 

(a)  000:  Since  S  /-+<>  S'  and  S  ■/-*{  S'  there  are  no  inputs,  outputs,  or  r’s  possible  from  S' 

or  its  derivatives.  Therefore  there  is  no  upper  bound  on  S  or  S'  d-transitions  because 
modeling  constraints  restrict  upper  bounds  to  output-  or  r-capable  locations.  Since 
only  non-Zeno  automatons  are  allowed,  time  must  continue  to  progress  forever.  F\u:ther, 
future  r  states  must  exhibit  the  same  behavior,  for  if  there  were  any  future  non-delta 
actions  possible  from  some  I'  they  would  have  to  be  possible  from  the  corresponding  S' . 
This  includes  inputs,  because  Formula  22  has  to  hold  over  and  it  also  includes 

t’s  because  the  modeling  constraints  would  upper-bound  time  progression  from  I  and 
o6(/,(S,5,£C^)  would  have  to  be  true,  and  ob{I,6,S,CC^)  is  not  true.  Therefore  S  -A 

(b)  0X1:  ob{I^6,S,CC^)  =>  I  I”  A  E  Since  5'  must  conform  to  /', 

5'  =^,  and  S  S'  =»  S  — S',  a  contradiction,  so  case  0X1  is  impossible. 

(c)  1X1:  S  S'  /'  =>  -io6(/,(5,S,£C^),  a  contradiction,  so  case  1X1  is  impossi¬ 

ble. 
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Since  all  of  the  possible  cases  conclude  I  V  A  6  C&  the  two  implications  can  be 

united  and  the  antecedent  can  be  generalized  to  all  ^-transitions  resulting  in 

V  5'  [S  A  5'  3  /'  [J  =4  /'  A  (/',  S')  e  £C‘]] 

Since  a  ^  A, P  ^  {r},  and  €  ffi  cover  the  domain  of  7  in  Def.  21,  and  Va  €  [a  =  a]  and 

V5  €  K  [5  =  (5],  the  three  results  from  above  can  be  combined  into  the  single  formula: 

V  5'  [5  ^  5'  =S-  3  J'  [7  7'  A  (7',  S')  €  CC% 

Further,  since  the  same  pairs  of  formulas  hold  for  all  a-,  /?-,  and  J-transitions  that  I  can  do 

V7'[7^7'  =4.  3S'[5=45'A{7',5')e/:C‘]] 

therefore  CC*  is  a  weak  timed  bisimulation: 

3  7'  [7  ^  7'  A  (7',  5')  €  £C*]]  A 
3  S' [S=^S'A(7',5'>  e£C‘]]]  □ 

The  final  property  that  must  be  established  about  timed  logic  conformations  is  that  the  union 
of  a  set  of  timed  logic  conformations  is  a  timed  logic  conformation. 

Lemma  10 

[}CC\  (32) 

is  a  timed  logic  conformation. 


W  {I,S)  e  e  ActUR[ 
V  S'  [S  ^  S' 
V  7'  [7  -4  7' 
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Proof 


For  every  pair  of  states  {P,  R)  E[j  CC\  and  for  every  possible  action  the  Formulas  22  through  27 
hold  for  some  CCl;  so,  by  Def  29,  and  the  definition  of  union,  they  hold  for  jj  CC\;  therefore  \J  CC\ 
is  a  timed  logic  conformation.  □ 

4-8  Timed  Logic  Conformance  as  a  Maximum  Fixpoint 

The  definition  of  CC^  must  be  narrowed  down  so  that  it  uniquely  defines  one  of  the  many 
possible  relations  between  DLTS  automata  states.  There  are  many  possible  solutions  to  the  relation 
CC*  as  defined,  including  CC*  =  0.  The  one  CC^  relation  of  particular  interest  is  the  largest 
relation  known  as  the  maximum  fixpoint  of  £C‘.  £C‘’s  maximum  fixpoint  is  useful  because 
implementation  DLTS  I  can  be  safely  substituted  for  a  specification  DLTS  5  when  the  initial 
states  of  /  and  5  are  in  the  maximum  fixpoint  relation.  The  following  definitions  and  claims 
are  made  for  DLTS  induced  from  TSA  conforming  to  the  modeling  constraints  enumerated  in 
Definition  30. 


Definition  32.  Timed  Logic  Conformation  Maximum  Fixpoint:  £C*. 

££'  =  u  {R  \  TZ  is  a  timed  logic  conformation} 
nePiSjxSs) 

Theorem  3  Given  Def  32y  CC^  is  the  largest  timed  logic  conformation. 

Proof 

By  Lemma  10,  CC^  is  a  timed  logic  conformation,  and  by  definition  it  includes  any  other  such. 

□ 

Definition  33.  Timed  Logic  Conformant  DLTS:  I o:^i  S.  Two  DLTS^s  I  =  >/ 

j(^Oj7ro)/),  and  S  =  {Ss^Acts^ — ^5)  (^Oj  71*0)5)?  induced  from  TSA  conforming  to  the  Definition  30 
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modeling  constraints  are  timed  logic  conformant  (written  I  o'^i  S)  iff 

({^o,^o)/,{/o)7ro)5)  ^  (33) 

Theorem  4  Given  Def  32,  ^  a  partial  order. 

Proof 

1.  Reflexive:  For  any  DLTS  P,  P o:^i  P  by  Lemma  2  since  {{Io^'^q)p,  (^Oj^o)p)  ^  CCK 

2.  Transitive:  For  three  DLTS  P,  Q,  and  R,  P  QaQ  o:^i  P  o:^i  R  by  Lemma  3  since 
((^Oj7ro)p,  (/ojTro)^)  G  CC{  A  {{Iq,7To)q,{Io,tto)r)  e  CCl  ^  {{lQ,'iro)p,{lo,7ro)R)  £  CC\CC\. 

3.  Antisymmetric:  For  two  DLTS  P  and  Q,  P  o:^i  Q  AQ  o:^i  P  ^  P  per  Lemma  9  since 

(((^0)7ro)p,  (Zoj7ro)Q)  G  A  ((Zq,  7ro)Q5  {Zo,7ro)p)  G  CC^  )  ((Zo,7ro)Q,  (Zo,7ro)p}  G  W.  □ 

Finally,  o:^i  is  overloaded  to  relate  TSA  conforming  to  the  modeling  constraints  enumerated 
in  Definition  30. 

Definition  34.  Timed  Logic  Conformant  TSA:  I  o'^i  5.  An  implementation  TSA  I  is 
timed  logic  conformant  to  specification  TSA  S  (written  I  o:^i  S)  iff  both  I  and  S  conform  to 
the  Definition  30  modeling  constraints  and  the  DLTS  induced  from  I,  P  =  {Si,Acti,  — {Iq,0)j), 
and  the  DLTS  induced  from  S,  5'  =  (5s,  Acts, — )'S,  (Zo,^)s},  are  timed  logic  conformant  (i.e., 

ro^i  s’h 

4^9  TLC,  Parallel  Composition,  and  Hierarchical  Verification 

Historically,  one  of  the  most  theoretically  important  properties  of  equivalence  and  partial 
order  relations  between  models  of  concurrent  systems  is  whether  or  not  they  are  preserved  by 
parallel  composition  operations.  If  a  relation  is  preserved  by  the  composition  process,  and  the 
input  assumptions  of  each  of  the  components  in  the  composition  are  independently  specified,  then 
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the  verification  task  can  be  broken  down  into  independent  pieces  without  resorting  to  assumes- 
guarantees-style  proof  obligations. 

If  parallel  composition  does  not  preserve  the  relation  then  designers  must  verify  every  compo¬ 
sition  against  a  higher  level  of  abstraction,  and  they  should  eventually  have  a  top-level  specification 
that  is  not  parallel  composed.  Often  this  is  not  practical  for  real-world  designs  because  of  the  com¬ 
plexity  of  generating  a  monolithic  top-level  specification,  and  in  that  case  one  should  carefully 
simulate  the  top-level  composition  to  ensure  it  behaves  as  expected.  One  should  also  employ  model 
checkers  to  prove  it  has  the  important  properties  they  expect  and  that  the  composed  specification 
is  free  from  deadlock  and  livelock. 

When  the  input  assumptions  of  each  of  the  components  are  not  independently  specified,  then 
designers  must  do  the  extra  assumes-guarantees-style  verifications  to  determine  whether  or  not 
the  implicit  input  assumptions  of  the  components  operating  together  and  in  an  environment  are 
satisfied  together. 

Since  the  TSA  formalism  supports  specifying  the  input  assumptions  of  each  component,  and 
the  Cl-free  property  of  compositions  ensures  that  the  input  assumptions  of  cooperating  compo¬ 
nents  do  not  interfere  with  outputs,  an  efficient  top-down  verification  methodology  can  be  realized. 
Top-down  hierarchical  TLC  verification  starts  at  the  most  abstract  level  with  a  specification  that 
incorporates  the  environmental  timing  issues  (e.g.,  input  frequency,  stimulus-response  constraints) 
into  its  behavior.  The  specification  is  the  contract  with  the  environment;  as  such  it  defines  the 
behavior  required  for  the  inputs  it  accepts.  Only  implementations  that  satisfy  the  TLC  relation 
with  the  specification  fulfill  the  contract;  TLC  failures  are  design  errors. 

Then,  a  hierarchical  system  is  top-down  verified  by  defining  (by  parallel  composition)  a  set  of 
sub-specifications  that  are  TLC-verified  against  the  specification.  Sub-specifications  must  also  be 
Cl-free,  but  only  in  the  reachable  subset  of  their  state  space  explored  by  the  TLC-relation  with  the 
specification’s  reachable  state  space.  Designers  continue  down  the  hierarchy,  TLC-verifying  each 
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sub-specification  against  its  sub-sub-specification  until  TLC  holds  with  implementations  composed 
entirely  of  design  primitives.  The  reverse  method  can  be  used  from  the  bottom-up  to  create  systems 
(as  done  in  the  STAR!  example  6.2.3). 

Unfortunately,  as  currently  defined,  TLC  is  not  preserved  by  parallel  composition.  Figure  7 
illustrates  the  problem.  I  and  S  are  nearly  identical;  the  only  difference  is  the  guard  >  1  on 
jf2.  Formula  23  forgives  this  difference  when  verifying  I  o'l^i  S,  since  V  fcs  €  [0,  l)[51ii;, 

S2ks  71fcs  >  Ill  ^  72i  ^  Ilks  I2i  A  {I2i,S2ks)  €  CC^].  The  difference  is  for¬ 
given  because  /I’s  a.  outputs  are  allowed  to  be  a  timed  subset  of  51’s  a.  outputs.  Allowing  the 
implementation  to  match  the  specification  using  =h>  keeps  in  CC*  for  k  e  [0, 1). 


Figure  7.  I  o±Zi  S  J|| A  S\\X. 


However,  in  composition  with  XI,  states  {((/2||A'l)i,  (52|lXl)fc)  |  k  €  [0,1)}  cannot  be  in 
because  Formula  25  (checking  that  the  specification  can  match  implementation  outputs)  fails 
when  (/2||Xl)i  and  (52||Xl)fc  State  (5211X1)*,,  cannot  do  Xl’s  c-for  kx  €  [0, 1)  because 
the  guard  fca;  >  1  is  false.  This  means  that  state  pairs  ((J1||X1)*,  (5l||Xl)*)  for  k  €  [0, 1)  cannot 
be  in  £C*,  and  neither  can  states  ((/||X)*,  (5||X)*).  Therefore  /||Xo::^i  5||X  does  not  hold. 

In  this  example,  allowing  time  to  progress  in  Jl  to  match  51’s  a.  output  and  the  unmatched 
changes  in  Xl’s  behavior  causes  the  problem.  XI  behaves  difierently  when  jfca;  >  1  than  it  does 
when  fcx  <  1.  The  TLC  relation  cannot  allow  this  difference  in  the  composition  even  though  it 
accepted  the  difference  between  71  and  51  via  71  while  computing  I  o'^.i  S. 

This  example  illustrates  the  conflict  between  parallel  composition  and  relaxing  the  timing 
relationship  between  implementation  and  specification  outputs.  The  TSA  time  successor  Rule  7  on 
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page  41  defines  that  time  progresses  equally  for  all  DLTS’s  induced  from  parallel  TSA,  but  neither 
the  TLC  relation,  nor  the  modeling  constraints,  nor  the  Cl-free  property  prohibit  transition  guards 
from  becoming  enabled  (like  XI  while  time  progresses. 

This  is  not  a  problem  for  CTR  verification  because  a  in  Formula  2’s  antecedent  5  S'  does 
not  range  over  {i}  for  the  time  prefix  [0,3].  This  means  that  [0,3].(Sl||A’l)  so  (S1||X1) 
is  not  enabled.  Only  when  7’s  delay  prefix  becomes  [0,21.(7111X1)  does  Formula  1  on  page  25 
require  them  to  match,  and  then  they  do,  because  [0,2]  .XI  is  enabled  for  both  compositions 
at  that  point.  If  Formula  23  were  changed  to  match  CTR’s  semantics  from 

V  S' [s  A  S'  =!>  3  7'  [7  =4>  7'  A  (7',  S')  e  rc']] 


to 


S-^  3  (J,  7',  7",  S',  S"  [7=^  7' =4  7"  AS  =4  S' As"  A 

{(7',S'),(7",S")}C£C‘] 

this  formulation  would  not  require  the  original  state  S*  reached  via  S  A  S*  to  be  matched.  It 
relaxes  TLC  such  that  the  example  in  Figure  7  would  preserve  the  composition.  Unfortunately,  if 
there  were  also  an  input  transition  XI  XI,  TLC  would  hold,  despite  the  fact  that  (S||X) 
leads  to  an  input  that  (7||X)  cannot  match.  Such  an  error  is  not  consistent  with  the  notion  of  an 
acceptable  implementation;  so  TLC  cannot  be  weakened  like  CTR. 

In  contrast,  if  the  TLC  relation  is  strengthened  such  that  the  implementation  must  match 
output  timing  exactly  (i.e.,  replace  =^o  by  in  all  Formulas  22  through  27),  then  composition 
preserves  TLC,  but  it  makes  the  relation  impractical.  When  implementations  are  required  to 
match  specification  output  timing  exactly,  TLC  generally  rejects  useful  abstractions  because  typical 
implementations  do  not  always  exhibit  both  the  best-case  and  worst-case  delays  from  all  states. 
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Hence  the  TLC  relation  cannot  generally  be  preserved  in  a  practical  way  by  strengthening  output 
timing  matching. 

The  fact  that  TLC  is  not  preserved  by  parallel  composition  is  a  practical  problem  only  when 
all  compositions  are  not  verified.  All  compositions  are  verified  except  when  a  monolithic  top-level 
specification  cannot  be  constructed  to  verify  the  most  abstract  composition.  In  this  case,  one 
should  simulate  and  model-check  the  most  abstract  composition  as  described  in  Section  4.9,  and 
TLC  verify  it  against  the  composition  of  the  entire  next  level  of  abstraction  TSA.  For  example, 
referring  to  the  TSA  modeling  hierarchy  in  Figure  8,  in  order  to  verify  the  top-level  composition 
Allelic,  verification  of 


A1||A2||A3||B1||B2||53||C71||C2||C3  A\\B\\C 

is  required  instead  of  relying  on 

(A1||A2||A3  A)  A  (Bl||B2||H3o±;i  B)  A  (<7111(7211(73 C) 

to  separately  satisfy  the  intended  behavior  of  AHHUC.  Any  TLC  failures  in  the  large  verification 
should  be  carefully  scrutinized  to  ensure  the  specification  is  requiring  the  appropriate  behavior.  If 
not,  then  modify  A,  B,  or  C;  if  so,  correct  the  offending  A{,  Bi,  or  Ci. 


Although  this  may  seem  just  as  expensive  as  the  assumes-guarantees  reasoning  process,  note 
that  all  of  the  models  in  this  example  are  models  of  the  system  being  built,  not  of  the  environment. 
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In  Figure  3,  the  problem  depicted  is  the  verification  of  a  system  being  built— perhaps  Y,  where 
X  and  Z  are  models  of  the  environment  interacting  with  Y.  Here,  the  environmental  constraints 
are  captured  in  the  TSA  A\\B\\C  which  is  at  the  same  level  of  abstraction  as  Y.  The  verifications 
depicted  in  Figure  8  represent  two  levels  of  abstraction  below  Y,  and  reasoning  about  the  system 
itself,  not  the  environment.  If  Y  must  be  concretized  to  be  implemented,  then  here  are  even  more 
assumes-guarantees  verifications  necessary  for  all  the  Yi  timed  processes  in  their  environments. 

4.10  Summary 

This  chapter  formally  defined  the  timed  equivalence  relation  weak  timed  bisimulation  that 
relates  DLTSs  with  different  internal  action  sequences  but  the  same  observable  action  sequences 
and  timing.  To  relate  systems  that  do  not  have  the  exact  same  timing,  it  defined  how  to  abstract 
away  the  temporal  differences  betr^en  TSA,  and  how  to  use  those  abstractions  to  weaken  weak 
timed  bisimulation  via  the  partial  order  Timed  Logic  Conformance. 

With  a  few  well-defined  exceptions.  Timed  Logic  Conformance  requires  that  implementation 
inputs  are  a  timed  superset  of  specification  inputs  and  that  implementation  outputs  are  a  timed 
subset  of  specification  outputs.  Timed  Logic  Conformance  formalizes  these  notions  and  specifies 
when  an  implementation  can  safely  replace  a  specification,  and  it  has  the  necessary  mathematical 
properties  to  support  hierarchical  verification  of  large  systems  with  the  exception  that  one  must  be 
careful  when  the  most  abstract  specification  is  parallel  composed. 

The  TLC  verification  process  supports  a  powerful  and  efficient  top-down  verification  method¬ 
ology  that  also  works  bottom  up.  The  TLC  verification  methodology  is  better  than  assumes- 
guarantees  reasoning  because  it  simplifies  and  reduces  the  burden  of  building  models,  and  it  breaks 
the  verification  down  into  less  complex  independent  pieces. 

TLC  verification  simplifies  model  building  because  fewer  models  have  to  be  built;  no  models 
of  the  environment  itself  need  to  be  constructed,  and  no  models  of  the  rest  of  the  system  and  the 
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environment  (the  environment  from  a  particular  component’s  point  of  view)  need  to  be  constructed. 
Further,  the  system  models  that  are  constructed  are  simpler  because  not  all  inputs  m  all  states  for 
all  times  have  to  be  defined.  Only  the  inputs  necessary  to  satisfy  the  Cl-free  property  have  to  be 

added. 

The  TLC  verification  methodology  is  simpler  because  it  can  be  independently  decomposed 
without  the  assumes-guarantee  circular  dependency  verifications.  This  reduces  the  magnitude  of 
the  verification  task  tremendously  because  iteratively  changing  models  and  specifications  only  affect 
the  verifications  up  and  down  the  hierarchy,  not  across  the  breadth  of  it  for  every  iteration. 
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V.  Timed  Logic  Conformance  System 


This  chapter  describes  the  Prolog  Timed  Logic  Conformance  System  (TLCS).  After  presenting  some 
background  information,  it  describes  the  finite  automata  induced  from  Timed  Safety  Automata 
(TSA)  called  region  automata.  Region  automata  are  useful  for  reasoning  about  TSA  behavior 
using  computers,  and  in  particular  for  this  research  using  TLCS.  After  describing  the  TLCS  region 
automata  time  representation,  the  chapter  describes  the  TLCS  rules  and  procedures  that  efficiently 
implement  the  TLC  decision  procedure.  Finally,  it  concludes  with  a  description  of  the  TLCS  TSA 
input  format,  TLCS  TSA  parallel  composition,  and  TLCS  user  interface. 

5. 1  Background 

TLCS  is  actually  a  second  generation  Prolog  program.  The  first  generation  program  computes 
the  TLC  maximum  fixpoint  over  a  discrete  projection  of  the  induced  DLTS.  It  directly  computes 
the  =>i,  =^o,  — >i,  and  —^o  transition  relations,  takes  the  cross  product  of  the  discrete  subsets 
of  implementation  and  specification  DLTS  states,  and  whittles  the  cross  product  down  to  the 
maximum  fixpoint  £C*.  TLCS  uses  predicates  implementing  the  TLC  definition  (Formulas  22 
through  27)  to  reject  state-pairs  that  do  not  satisfy  the  relation.  The  first  generation  program  is 
quite  useful  for  understanding  the  subtleties  of  the  TLC  definitions,  but  it  is  only  practical  for  TSA 
with  handfuls  of  locations. 

The  second-generation  program  (TLCS)  verifies  whether  or  not  the  dense  time  behavior  of 
two  TSA  satisfy  the  TLC  relation  properties.  Instead  of  verifying  the  cross  product  of  the  state 
spaces,  TLCS  examines  only  the  subset  of  the  TLC  maximum  fixpoint  relation  that  is  reachable 
between  the  two  TSA  being  compared  when  they  start  in  their  initial  locations,  time  progresses 
the  same  for  both  of  them,  and  they  receive  the  same  inputs.  TLCS  explicitly  enumerates  the 
reachable  states  of  the  two  region  automata  being  compared  using  a  common  frame  of  reference  for 
time  passing.  TLCS  renames  the  clocks  of  the  two  systems  to  ensure  they  are  unique  and  unions 
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the  renamed  clock  sets  into  a  single  clock  set  used  as  a  common  time  reference.  TLCS  does  not 
directly  compute  the  =^i,  =^o,  —*i,  and  — +<>  transition  relations.  Ra,ther,  it  follows  r  and  time¬ 
passing  transitions  (<5’s)  when  necessary  and  allowed  by  the  TLC  definition  (Def.  29)  formulae  to 
determine  if  TLC  holds.  For  example,  if  5  S',  but  I  TLCS  follows  or  transitions 

in  accordance  with  the  ==h,  relation  definition  (Def.  25)  to  determine  if  I  =^o  I'  and  if  I'  and  S' 
satisfy  the  TLC  relation  properties. 

TLCS  depth-first  explores  the  mutually  reachable  state  space  of  the  two  automata  by  taking 
transitions  and  advancing  time  from  their  initial  states  to  determine  if  any  TLC  formula  is  violated 
in  any  reachable  state  pair.  If  no  TLC  formula  is  violated  and  all  of  the  reachable  state  space  is 
explored,  TLCS  succeeds  and  TLC  holds.  If  a  TLC  formula  is  violated  before  examining  all  of 
the  reachable  states,  TLC  fails,  and  TLCS  can  be  queried  to  report  a  trace  (sequence  of  actions) 
or  simulation  (sequence  of  locations,  times,  and  actions)  leading  to  the  failure.  TLCS  examines 
all  reachable  states  for  all  possible  actions  starting  from  the  initial  state  pair,  so  it  will  detect 
any  failure  that  disqualifies  the  initial  state  pair  {Io,So)  firom  being  in  £C*.  This  is  true  because 
(Io,So)  ^  CC*  implies  for  some  action  <t  €  U  K  either  Jq  I  and  So  5  and  (I,  S)  ^  Z? 
or  one  of  the  systems  could  do  a  and  the  other  could  not  match  a  according  to  the  TLC  formulae. 
Both  cases  are  detected  by  TLCS. 

The  following  sections  explain  the  TLCS  implementation.  First  the  region  automata  time 
representation  is  explained,  then  TLCS  data  structures  and  the  Prolog  rules  and  procedures  reveal 
the  TLCS  algorithm  that  decides  if  TLC  holds  between  a  pair  of  implementation  and  specification 
TSA. 


5.2  Region  Automata 

Since  the  state  space  of  a  DLTS  is  uncountable,  the  DLTS  semantic  model  cannot  be  used 
to  represent  TSA  and  compute  relationships  between  them  on  finite  computer  systems.  Therefore 
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a  finite  representation  of  the  DLTS  called  region  automata  from  Alur  and  Dill  (ACD90)  and  fully- 
developed  in  (AD94)  is  adapted  for  TSA  semantics  and  computing  TLC. 


The  main  difference  between  DLTS  and  region  automata  is  that  the  uncountable  number  of 
clock  assignments  representing  the  different  possible  combinations  of  clock  values  in  the  DLTS  are 
represented  finitely  by  a  collection  of  open  and  closed  Intervals  in  the  region  automata,  one  interval 
for  each  clock,  and  a  relation  on  clocks  that  orders  them  according  to  the  magnitude  of  the  frswitional 
part  of  the  clock  value.  Hence,  the  “state”  of  a  region  automata  consists  of  a  label  representing 
the  TSA  location,  a  collection  of  time  intervals,  and  the  fractional-part  relation.  The  intervals  and 
the  fractional-part  together  define  equivalence  classes  for  the  clock  assignments.  Figure  9  serves  as 
an  example.  In  this  example  there  are  two  clocks,  x  and  y.  The  largest  integers  used  to  constrain 
clocks  X  and  y  are  2  and  1  respectively.  While  there  are  an  uncountable  number  of  real  values 
these  two  clocks  can  take  on  with  respect  to  one  another,  only  28  different  equivalence  are 

required  to  finitely  represent  the  clock  assignments  as  depicted  in  the  figure.  Hence,  instead  of 
an  uncountable  number  of  {/,  S')  timed  states,  and  transitions  between  them,  a  finite  number  of 
{1,EC{k))  tuples  and  transitions  represent  TSA  behavior  in  the  computer  (where  EC  {if)  stands 
for  the  Equivalence  Class  of  the  clock  assignment  S'). 


y 

1 

0 


14  Open  segments  e.g.  0  <  x  =  y  <  1 


(1,1) 


6  Closed  Points,  e.g.  [1,1] 

8  Open  regions,  e.g.  0  <  x  <  y  <  1 


,1  (I’D 
(0,0)Zj  (1,0) 


Figure  9.  Region  Automata  Time  Regions. 


Since  only  integers  are  used  to  constrain  TSA,  as  time  progresses  the  truth  of  guards  and 
invariants  can  only  change  when  a  clock  value  changes  from  an  integral  to  a  real  value  or  vice 
versa.  Consequently,  when  no  clocks  are  integral,  the  algorithm  need  only  keep  track  of  which  two 
integers  each  clock  is  between  and  which  clock(s)  will  reach  their  next  integral  value  first  (i.e.,  which 
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clock(s)  has(have)  the  largest  fractional  part).  When  one  or  more  clocks  are  integral,  for  time  to 
progress,  their  values  will  change  next,  and  after  the  time  changes,  those  clocks  have  the  smallest 
fractional  part,  and  no  clocks  axe  integral.  Note  that  once  a  clock  value  exceeds  the  largest  integer 
used  to  constr2iin  it,  the  truth  or  falsity  of  guards  and  invariants  referencing  it  do  not  change,  so 
there  is  no  longer  any  need  to  reference  the  fractional  parts  of  such  clocks.  Since  time  progresses 
at  the  same  rate  in  TSA  clocks,  it  can  only  progress  along  trajectories  parallel  to  the  line  x  =  y 
in  the  2-clock  example  in  Figure  9;  e.g.,  time  progresses  transitively  from  point  [x  =  y  =  0]  to  the 
line  segment  [0  <  x  =  y  <  1]  to  the  point  [x  =  y  =  1]  to  the  open  region  [1  <  x  <  2,  1  <  y  <  2] 
to  the  line  segment  [x  =  2,  y  >  1]  to  the  open  region  [x  >  2,  y  >  1]. 

TLCS  time  equivalence  classes  are  called  time  regions.  A  time  region  is  a  tuple  [CV,CC], 
where  CV  (Clock  Values)  is  a  sorted  sequence  of  tuples  [[CName.L.R] ,...].  CName  is  the  clock 
name,  L  is  the  lower  integer  bound  on  the  clock  CName’s  value,  and  R  is  either  the  upper  integer 
bound  on  clock  CName’s  value  or  the  atom  ’i’  representing  infinity  when  CName’s  value  is  unbounded. 
Only  two  kinds  of  intervals,  closed  and  open  are  necessary;  there  is  no  representation  for  clopen 
intervals.  An  interval  is  closed  and  represents  a  single  point  when  L=R.  An  interval  is  open  when 
L^R.  CC  (Clock  Classes)  is  a  sequence  of  tuples  containing  alphabetically  sorted  lists  of  clock 
names  representing  a  descending-order  sorted  partition  of  bounded  clock  fractional  values  (e.g., 
[Ccl,c3] ,  [c2]]  where  cl  and  c3  have  equal  fractional  parts,  and  c2  has  a  smaller  fractional  part 
than  cl  and  c3).  Every  CName  in  CV  except  those  whose  value  is  not  bound  will  be  in  one  and 
only  one  element  of  CC.  If  no  clocks  are  bound,  (i.e.,  all  clock  values  exceed  the  maximum  values 
constraining  them)  CC  ==  [] .  TLCS  time  regions  for  the  time  progression  example  in  the  previous 
paragraph  are  shown  in  Table  5. 

Since  neither  x  or  y  are  reset  and  time  progresses  equally  on  both  clocks  from  (x,  y)  =  (0, 0)  in 
the  Table  5  example,  the  table  does  not  include  an  example  representation  for  a  time  region  where 
frac(x)7^frac(y).  TLCS  uses  [[[x,l,2]  ,  [y,0,l]]  ,  [[x]  ,  [y]]]  to  represent  the  time  region  [1 
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Table  5.  TLCS  Time  Region  Representation. 


Region 

Representation 

X  =  y  =  0] 

[[[x.O.O] , [y,0,6]] , [[x,y]]] 

0  <  X  =  y  <  1] 

[[[x,0.1].[y,0,l]],[[x,y]]] 

X  =  y  =  1] 

[[[x,l,l] ,[y,l,l]] , [Cx,y]]] 

l<x<2,  l<y<2] 

[[[x,l,2].[y,l.i]],[[x]]] 

1 

X  =  2,  y  >  1] 

[[[x.2,2].[y.l.i]].[[x]]] 

! 

X  >  2,  y  >  1] 

[[[x,2,i].[y,i.i]].[]] 

<x<2,  0<y<l]  where  frac(x)>frac(y).  This  region  is  the  triangle  interior  defined  by  the 
points  {(1,0),  (2,0),  (2,1)}. 

In  order  to  ensure  that  clocks  progress  at  the  same  rate,  equivalence  classes  for  clock  values 
that  have  not  yet  exceeded  their  maximum  constraint  are  no  coarser  than  open  intervals  between 
two  adjacent  integral  numbers.  For  example,  the  clock  value  x  =  1.25  is  represented  by  the  open 
interval  [x,l,2]  in  its  equivalence  class.  Since,  in  general,  clocks  may  be  independently  reset  and 
therefore  will  not  always  be  in  the  same  equivalence  class,  all  combinations  of  equivalence  classes 
up  to  and  including  the  class  representing  when  their  value  exceeds  the  maximum  integer  used  to 
constrain  them  are  possible.  This  means  that  the  number  of  regions  grows  exponentially  with  the 
largest  clock  constraint  value.  Given  that  C  is  the  clockset,  and  Cx  is  the  largest  integer  constraining 
clock  c  G  C,  the  number  of  clock  regions  is  bounded  by  [|  C  |!  •  2l^l  •  Tlc^^c{^<^x  +  2)]  (AD94:p203). 

Unfortunately,  this  fine  equivalence  class  granularity  is  generally  necessary  to  model  time 
progressing  uniformly  on  all  clocks  and  to  eliminate  region  automata  behaviors  that  would  not  be 
possible  in  the  corresponding  DLTS.  The  following  example  illustrates  why  we  need  such  a  fine 
granularity  of  equivalence  classes.  If  instead  of  limiting  the  largest  equivalence  class  to  be  less  than 
one  time  unit  wide,  the  granularity  of  the  region  automata  equivalence  classes  is  increased  to  the 
open  intervals  between  the  integers  used  to  constrain  the  TSA,  then  some  region  automata  models 
exist  that  exhibit  behaviors  inconsistent  with  the  induced  DLTS  semantics. 
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These  inconsistencies  arise  when  time  is  not  constrained  to  pass  at  the  same  rate  on  all  system 
clocks.  This  is  illustrated  by  the  following  example.  In  the  Figure  10  TSA/DLTS,  no  output 
can  occur  before  b_  is  observed.  This  is  the  case  because  the  guard  on  the  c_  transition  requires 
cb-ca>  1,  and  ca  and  cb  cannot  ever  be  more  than  1  time  unit  apart  unless  the  a  transition  from 
XI  to  X2  is  taken.  In  the  portion  of  the  region  automata  state  space  and  the  example  transitions 
illustrated  in  Figure  11  the  region  where  c-  can  occur  can  be  reached  by  following  the  a  transition 
from  XI  to  X2  and  returning  to  XI  from  X2  via  the  b_  transition.  Unfortunately,  the  c«-capable 
region  can  also  be  reached  by  following  S  from  (0,0)  to  (1, 1),  a  from  (1, 1)  to  (0, 1),  S  from  (0, 1) 
to  region  [0  <  ca  <  1, 1  <  c6  <  2]  where  another  6  that  does  not  necessarily  keep  time  progressing 
on  both  clocks  equally  can  take  the  automata  to  region  [0  <  co  <  1, 2  <  c6  <  oo]  where  a  c-  output 
can  occur  even  though  X2  was  never  entered.  This  example  illustrates  why  clock  value  equivalence 
classes  for  clocks  that  have  not  yet  exceeded  their  maximum  constraint  are  no  coarser  than  open 
intervals  between  two  adjacent  integral  numbers. 


c_,ca  <=  l,cb  >  2 

Figure  10.  Fine-Grained  TSA/DLTS. 


Figure  11.  Inconsistent  Region  Automata  with  Skewed  J-Transitions. 
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The  time  region  is  a  fundamental  data  structure  of  the  TLCS  system.  It  is  an  important  part 
of  understanding  how  the  TLCS  system  finitely  computes  the  TLC  relationship  for  dense  time. 
The  next  important  concept  is  the  TLC  decision  procedure  itself. 

5.3  TLC  Decision  Procedure 

This  section  describes  and  illustrates  TLCS’s  novel  and  efficient  region-automata-based  TLC 
decision  procedure  implementation.  Starting  from  some  basic  definitions,  the  section  uses  important 
TLCS  code  fragments  to  explain  the  decision  procedure  implementation.  After  the  basic  definitions, 
the  discussion  is  broken  down  into  three  subsections.  The  first  subsection  describes  the  TLC  Prolog 
query  that  checks  the  behavioral  part  of  TLC;  the  second  describes  checking  a  particular  formula 
from  the  TLC  definition,  and  the  third  describes  how  the  TLC  prolog  query  verifies  time-derivatives. 

TLCS  inputs  are  Prolog  atoms  other  than  t  that  do  not  end  in  an  underscore.  Outputs  are 
Prolog  atoms  that  end  with  an  underscore  (_).  Taus  are  the  Prolog  atom  t  or  Prolog  terms  t(X) 
where  X  is  a  variable  representing  any  Prolog  atom.  The  TLCS  queries  input  (X) ,  output  (X), 
and  tau(X)  are  true  when  X  is  an  input,  output,  or  tau  action  respectively. 

In  TLCS,  a  timed  state  of  the  implementation,  specification,  and  their  combined  time 
representation  is  an  [I,S,T]  tuple  where  I  is  a  Prolog  term  representing  the  implementation 
location,  S  is  a  Prolog  term  representing  the  specification  location,  and  T  is  the  time  region.  The 
initial  timed  state  is  then  the  initial  location  of  the  implementation,  the  initial  location  of  the 
specification,  and  the  zero  time  region  of  the  combined  clock  set.  Since  the  initial  locations  of 
the  two  TSA  being  compared  must  be  in  the  TLC  relation  between  their  induced  DLTS’s  and 
their  corresponding  region  automata  at  time  zero,  TLCS  starts  checking  whether  or  not  the  two 
automata  satisfy  the  TLC  relation  properties  from  the  initial  timed  state. 

TLCS  keeps  track  of  all  the  timed  states  it  has  or  is  currently  checking,  and  once  a  timed 
state  is  checked,  it  is  not  checked  again.  This  avoids  recomputing  tlc/6  for  timed  states  that  have 
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already  satisfied  TLC  and  for  those  which  are  currently  being  examined  in  the  depth-first  trail.  In 
most  cases  TSA  used  in  this  research  have  recursive  behavior  patterns,  so  maintaining  and  checking 
the  list  of  visited  timed  states  prevents  nonterminating  computation. 

5.3.1  Behaviorally  Checking  TLC.  The  tlc(I,S,Tn,Matched,UnMatched, Parent)  Pro¬ 
log  query  (abbreviated  by  the  functor  tlc/6)^  investigates  whether  implementation  location  I  and 
specification  S  satisfy  the  TLC  relation  formulae  at  time  Tn;  i.e.,  given  timed  state  [7,  S,  Tn],  where 
Tn(I)  and  Tn{S)  are  corresponding  DLTS  time  points  represented  by  equivalence  class  time  region 
Tn,  tlc/6  computes  whether  or  not  {{I,Tn{I)),  (S,Tn{S)})  €  CCK  If  so,  the  query  succeeds  and 
TLC  holds;  if  not,  the  query  fails  and  TLC  does  not  hold.  The  input  parameter  Matched  is  a  list 
of  [Sigma, SJ  tuples  representing  specification  output  actions  Sigma  and  specification  to-states 
S.  that  are  matched  earlier  from  implementation  location  I  at  some  time  Tm  preceding  time  Tn. 
The  to-states  S_  are  recorded  and  checked  to  insure  that  behaviorally  distinct  to-states  are  not 
overlooked.  The  input  parameter  UnMatched  is  a  list  of  [Sigma, Sj  tuples  representing  specifica¬ 
tion  output  actions  Sigma  and  specification  to-states  S_  that  have  not  yet  been  matched  by  the 
implementation  from  location  I  for  any  time  Tm  preceding  time  Tn.  Lists  Matched  and  UnMatched 
allow  specification  outputs  to  occur  earlier  or  later  than  implementation  outputs.  If  the  imple¬ 
mentation  cannot  match  a  specification  output  Sigma,  TLCS  adds  the  specification  output  Sigma 
and  reached  location  S_  to  UnMatched,  increments  time  to  the  next  time  value  Tn_  and  checks  to 
see  if  tied, S,Tn_,Matched,  [[Sigma, SJ  [UnMatched]  .Parent)  holds^.  When  the  implementa¬ 
tion  matches  [Sigma,SJ,  then  [Sigma, SJ  is  removed  firom  UnMatched,  and  added  to  Matched. 
When  time  passes  all  clock  bounds  (i.e.,  Tn=Tn_)  or  the  implementation  location  invariant  expires, 
UnMatched  must  be  empty,  or  else  tlc/6  fails  (i.e.,  the  implementation  never  matched  some  specifi¬ 
cation  output).  The  input  parameter  Parent  is  a  timed  state  number  (integer)  that  TLCS  assigns 

dhe  name  of  a  Prolog  query  is  the  Prolog  atom  preceding  the  left  parenthesis.  A  Prolog  functor  is  the  query 
name  and  number  of  query  arguments  separated  by  a  forward  slash. 

The  symbol  |  stands  for  list  construction;  e.g.,  [a|L]  prepends  the  atom  a  on  list  L  and  [[a,b,c]|L]  prepends 
the  triple  [[a,b,c]|L]  on  list  L. 
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to  uniquely  identify  the  time  state  [’I.'S.'Tn]  that  led  to  [I,S,Tn]  by  some  action  or  time 
progression.  TLCS  uses  timed  state  numbers  to  generate  error  traces  and  simulations. 

Figure  12  displays  the  queries  from  the  tlc/6  procedure  that  implement  the  TLC  definition 

(Def.  29)  formulae.  The  query  names  are  derived  from  the  system  whose  actions  are  being  matched 

and  the  type  of  action  that  is  being  matched.  Alphas  are  inputs,  betas  are  outputs,  and  taus  are  r’s. 

For  example,  spec.alpha/9  implements  checking  that  specification  inputs  are  matched  according 

to  Formula  22.  The  parameters  XActs  and  SActs  are  lists  of  [Sigina, Resets, ToStatel  triples 

denoting  locations  reached  from  the  implementation  and  specification  states  I  and  S  respectively 

at  time  T  by  action  SigmaG  Act]  Resets  denote  the  set  of  I  or  S  clocks  reset  when  the  transition 

is  taken  to  ToState.  N  is  the  unique  number  TLCS  assigns  to  timed  state  [I,S,T] . 

spec.alpha ( I , S , T , SActs , I Acts , Mat ched .UnMatched , Parent , N) , 
spec.betad, S,T, SActs, lActs.Matched.UnMatched.Parent.N), 
spec.taud, S,T, SActs, lActs, Matched, UnMatched,Parent,N), 
imp_bet a (I , S , T , I Act s , SAct s , Mat ched , UnMat ched , Par ent , N) , 
imp.alpha  d,S,T,IActs,SActs, Parent , N) , 
imp_taud , S ,T, lActs , SActs , Mat ched, UnMat ched, Parent ,N) , 

Figure  12.  TLC  Formulae  Queries. 

5.3.2  Checking  TLC  Formulae.  The  spec-beta/9  procedure  requires  allowing  both  struc¬ 
tural  and  temporal  differences  and  provides  the  most  thorough  example.  Figure  13  is  the  TLCS 
Spec-Beta  Procedure  implementing  TLC  Def.  29  Formula  23.  Identifiers  that  are  capitalized  are 
Prolog  variables,  []  denotes  the  empty  list,  and  underscores  without  prepended  atoms  are  “don’t 
care”  variables. 

The  five  different  Prolog  rules  separated  by  periods  in  Figure  13  define  the  spec_beta/9 
procedure.  The  first  four  spec.beta/9  rules  can  satisfy  Formula  23.  At  runtime,  Prolog  checks 
the  rules  in  the  order  they  are  defined  firom  the  top  to  the  bottom.  The  fifth  spec_beta/9  rule 
never  succeeds  (fail  cannot  succeed);  it  asserts  a  deficient  fact  (d/6)  to  assist  in  debugging  TLC 
failures  and  then  fails.  The  exclamation  points  are  “cuts”  that  stop  Prolog  firom  trying  to  satisfy 
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sp©c_b6t8L(_  I  „ » _  >  f  ^  —  j —  j —)  •“  i  • 

spec_beta(I,S,T, [[Beta,.,.] iSActs] ,IActs,Matched,UnMatched,P,N) 
not  output (Beta) , 

•  I 

spe  c.be t  a(I,S,T,SActs,IActs, Mat  ched , UnMat  ched , P , N) . 
spec.beta(I,S,T, [[Beta,SResets,S.] ISActs] ,IActs, Mat ched, UnMat ched, P,N) 
member ( [Beta , IReset s , I.] , lActs) , 
re  s  e t .t ime ( IRe set  s , SRe set s , T , T. ) , 
tlc(I.,S.,T.,[],[],N), 

I 

•  > 

spec.beta (I , S , T , SAct s , lAct s , Mat ched, UnMat ched , P , N) . 
spec.beta(I,S,T,  [[Beta,.,S.]  ISActs]  ,IActs, Matched, UnMatched,P,N) 

y.  Must  do  output  before  another  visible  action  occurs — via  tau  or  delta, 
merge.set ( [[Beta,S_]] , UnMat ched, UM) , 
spec.beta.aux(I ,S,T, IActs,Matched,UM,N) , 

I 

•  > 

spec_beta( I , S , T , SAct s , lAct s , Matched , UnMat ched , P , N) . 
spec.beta(I,S,T,  [[Beta,_,S_] L] ,_,_,_,P,N) 
retractall(c(I,S,T)) , 
assert (d (I, S,T,sb (Beta) ,P,N)) , 
fail. 


Figure  13.  TLCS  Spec-Beta  Procedure. 


spec_beta/9  with  more  than  one  rule.  Once  queries  in  a  rule  body  are  satisfied  to  the  the 
remaining  queries  in  the  rule  body  must  succeed  or  spec-beta/9  fails  regardless  of  the  remaining 
rules. 

The  first  rule  satisfies  the  query  when  there  are  no  [Beta,Sj  action  and  to-state  pairs  possible 
from  S.  This  is  the  case  when  S  cannot  do  any  actions,  or  when  all  of  S’s  outputs  have  been  checked. 

The  second  rule  satisfies  the  query  when  the  action  Beta  is  not  an  output.  This  is  the  case 
when  the  list  of  actions  SActs  has  a  [Beta,SResets,Sj  triple  and  Beta  is  not  an  output  action. 

The  third  rule  satisfies  the  query  when  the  implementation  matches  the  specification’s  Beta 
and  the  to-locations  of  the  two  systems  also  satisfy  tlc/6. 

The  fourth  rule  satisfies  the  spec-beta  query  if  it  finds  a  matching  output  by  following  an 
implementation  tau  or  by  allowing  time  to  pass.  In  either  case,  it  adds  the  unmatched  [Beta,Sj 
pair  to  the  UnMatched  list  and  calls  spec-beta_aux/6  which  is  defined  in  Figure  14. 
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spec_beta_aux (_ , S , T , lAct s , Matched , UM , N)  : - 
*/,  Via  tau? 

member ( [A, IResets.IJ ,IActs), 
tau (A) , 

reset_time(IResets, [] ,T,T_) , 
tlc(I_, S,T_, Matched, UM,N), 

! , 

spe  c_beta_aux ( I , S , T , _ , Mat  ched , UM , N)  :  - 
*/,  Via  delta? 
next_time(T,T_) , 

tied, S,T_, Matched, UM.N)  . _ 

Figure  14.  TLCS  Spec-Beta-Aux  Procedure. 

Functor  spec.beta-aux/6  is  defined  by  two  rules.  The  first  rule  is  satisfied  when  the  im¬ 
plementation  can  do  a  tau  action  that  leads  to  a  TLC-satisfying  state.  It  compares  the  current 
specification  state  S  against  the  tau  derivative  state  I_  by  resetting  the  clocks  associated  with  I’s 
tau  action  and  calling  tlc(I.,S,T_, Matched, UM,N).  The  second  rule  advances  the  time  region  to 
the  next  possible  time  equivalence  class  and  calls  tlc(I,S,T.,Matched,UM,N)  to  see  if  I  matches 
S’s  output  in  the  future.  This  completes  the  explanation  of  TLCS’s  spec-beta/9  formula. 

The  TLCS  implementation  of  the  remaining  TLC  formulae  are  all  simpler  than  spec_beta/9. 
The  only  novelty  is  the  implementation  of  the  extra  conjunct  in  Formula  24’s  antecedent  which  is 
implemented  by  the  Prolog  rule: 

imp_alpha(I,S,T,[[Alpha,_,_] |IActs3,SActs,P,N) 
not  member ( [Alpha,. , _] ,SActs) , 

!, 

imp.alpha ( I , S , T , lAct  s , SAct s , P , N) . 

The  above  rule  simply  satisfies  the  imp.alpha/7  query  when  Alpha  is  not  in  the  set  of  actions 
possible  by  the  specification. 

5.S.3  Temporally  Checking  TLC.  After  checking  that  all  TLC  formulae  hold  for  all  of  the 
actions  and  to-locations  in  lActs  and  SActs,  tlc/6  does  four  things: 

1.  Creates  the  list  AllMatched  by  adding  specification  outputs  matched  in  the  current  timed 

state  to  Matched. 
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2.  Creates  the  list  StillUnMatched  by  removing  specification  outputs  matched  in  the  current 
timed  state  from  UnMatched. 

3.  Calls  next-time (T,T_)  to  increment  the  time  region  T  to  the  next  possible  time  equivalence 
class  T_ 

4.  Checks  to  see  if  [I,S,TJ  satisfies  TLC. 

When  T=T_  all  clocks  have  exceeded  their  maximum  time  bound  and  time  progresses  infinitely. 
Since  [I,S,T]  =  [I,S,TJ,  all  future  behavior  from  locations  I  and  S  are  already  verified.  If  there 
are  no  unmatched  specification  outputs,  TLCS  asserts  h(I,S,T,AllMatched)  to  log  the  fact  that 
TLC  holds. 

When  T#T.,  T.  is  a  new  time  region,  and  TLC  must  be  verified  to  hold  in  the  future  states. 
There  are  four  possibilities. 

1.  Neither  I  nor  S  can  move  forward  to  time  T_.  This  is  the  case  when  both  location  invariants 
are  violated  by  time  T_  In  this  case,  as  long  as  there  are  no  unmatched  specification  outputs 
TLC  holds  in  timed  state  [I,S,T]  and  TLCS  asserts  h(I,S,T,EM)  to  log  this  fact. 

2.  T_  is  valid  for  I  but  not  for  S.  This  means  that  S’s  invariant  is  violated  by  time  T_.  In  this 
case,  TLCS  uses  the  code  fragment: 

(no_future_imp_outputs(I ,T_) 

I 

(member ([Tau,SResets,S_] ,SActs) , 
tau(Tau) , 

reset_time([] ,SResets,T,T2) , 

tic (I , S_ , T2 , AllMat ched , StillUnMatched , N) ) 

’  I 

(retract all ( c ( I , S , T) ) , as  sert (d ( I , S , T , [delta , s] , Parent , N) ) , f ail) ) 

to  execute  one  of  three  things  (the  operator  is  Prolog  disjunction): 

(a)  TLC  succeeds  if  the  implementation  has  no  future  outputs  (no-futuredmp-outputs/2 
succeeds). 
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(b)  TLC  succeeds  if  I  does  have  future  outputs  and  they  are  matched  by  S  after  it  performs 
atau  action;  i.e.,  tlc(I,S_,T2,AllMatched,StillUnMatched,N)  succeeds. 

(c)  TLCS  retracts  c(I,S,T)  (the  considering  fact),  asserts  a  debugging  fact  (d/6),  and  fails. 


3.  T_  is  not  valid  for  I  but  is  valid  for  S.  This  means  that  I’s  invariant  is  violated  by  time  T-.. 
In  this  case,  TLCS  uses  the  code  fragment: 

((StillUnMatched  ==  []  , 

no_new_f uture_spec_act ions (S , SActs , AllMatched ,T_) , 

(lActs  ==  [] 

;  (member (  [Beta, ,IActs)  , 
output (Beta) ) ) ) 

t 

(member ( [Tau,IResets,I_] ,IActs) , 
tau(Tau) , 

reset„time(IResets, [] ,T,T2) , 
tlc(I„,S,T2, AllMat ched , St illUnMat ched , N) ) 

I 

(retractall(c(I,S,T)) ,assert(d(I,S,T, [delta, i] , Parent ,N)) ,f ail)) 


to  execute  one  of  three  things: 

(a)  TLC  is  satisfied  when  output-bound  (Def.  28)  holds.  Output  bound  is  implemented  here 
by  checking  three  things: 

i.  StillUnMatched  ==  []  verifies  there  are  no  unmatched  specification  outputs. 

ii.  no-new_future_spec>actions(S, SActs, AllMatched,T-l  verifies  S  has  no  new  out¬ 
puts  or  inputs  in  the  future. 

iii.  Either  a  previous  implementation  state  already  matched  all  specification  actions 
(lActs  ==  [])  or  this  location  is  the  one  that  matches  the  specification  and  does 
the  output  (member([Beta,_,  J  ,IActs)  and  output  (Beta)). 

(b)  If  the  specification  does  have  future  actions  they  are  matched  by  the  implementation  after 
it  performs  a  tau  action;  i.e.,  tied.., S,T2,AllMatched, StillUnMatched, N)  succeeds. 

(c)  TLCS  retracts  the  considering  fact  c(I,S,T),  asserts  a  debugging  fact  (d/6),  and  fails. 
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4.  T_  is  valid  for  both  I  and  S.  Whether  or  not  TLC  is  satisfied  in  the  future  is  determined  by  the 
query  tlc(I,S,T_,NewMatches,StillUnMatched,N).  If  not,  TLCS  retracts  the  considering 
fact  c(I,S,T),  asserts  a  debugging  fact  d(I,S,T, delta, Parent, N)  and  fails. 

When  all  of  the  tlc/6  queries  from  new  state  pairs  or  new  time  derivatives  have  been  satisfied, 
tlc/6  succeeds.  Otherwise  tlc/6  fails.  TLCS  users  do  not  input  tlc/6  queries,  rather,  they  interface 
with  the  TLC  decision  procedure  using  a  tlc/2  query  that  accepts  two  TSA  names  or  definitions  and 
reports  whether  or  not  TLC  holds  between  them.  The  tlc/2  query  and  other  TLCS  user  interface 
queries  are  explained  in  the  next  section. 


5.4  TLCS  User  Interface 

This  section  describes  the  user-level  data  structures,  Prolog  queries,  and  outputs  from  the 
TLCS  system.  After  describing  how  to  define  TSA  for  TLCS,  the  tlc/2  query  and  debugging 
interfaces  are  described. 


5.41  TLCS  TSA.  Extended  Backus-Naur  Form  (EBNF)  productions  in  Def.  35  define 
the  syntax  of  Timed  Logic  Conformamce  System  (TLCS)  TSA  queries.  The  symbols  “[”  and  “J”  in 
the  productions  group  optional  constructs.  Parenthesis  “(”,  “)”,  and  “]”  in  these  productions 
are  literal.  Non-terminals  start  with  uppercase  letters,  and  terminals  start  with  lowercase  letters. 
The  terminal  identiGer  is  an  alphanumeric  Prolog  atom. 

Definition  35.  TLCS  TSA  Query  Syntax. 

Tsa  ::=  tsa{TSAName,[Locations,StartName,Relation]) 

Action  ::=  Tau  |  VisibleAction 

CCL  ::=  Q  |  [ClockConstraint  [,  ClockConstraintJ*] 

ClockConstrednt  ::=  [CIockNaine,RelationalOperator,integer] 

ClockName  ::=  identifier 
FromLocation  ::=  StateName 
Input  :;=  identifier 

Locations  ::=  [State-CCL-Pair  [,  State- CCL-Pair]+] 

Output  ::=  identifier. 

RelationalOperator  ::=  i  |  ieq  |  geq  |  g 
Relation  ::=  0  |  [Transition  |,  IVansitionl*] 

Resets  ::=  []  |  [ClockName  [,  Clockname}*] 
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StartName  ::=  StateName 
State-CCl’Pair  ::=  [StateName, CCL] 

StateName  ::=  identifier 

TSAName  ::=  StateName  \  [StateName  [,  TimeParameterJ*] 

Tau  :;=  t  \  t{VisibleAction) 

TimeParameter  ::=  integer 
ToLocation  StateName 

Transition  [FromLocation, Action, CCL, Resets, ToLocation\ 

VisibleAction  ::=  Input  |  Output 

A  TLCS  TSA  is  a  3-tuple  [Locations, StartName, Relation]  where: 


•  Locations:  a  list  of  [LocationNaine,CCL]  pairs  where  CCL  is  a  sorted  past-closed  Clock 
Constraint  List;  e.g.,  a<6&b<4is  encoded  by  CCL  =  [[a, 1,6]  ,  [b,leq,4]]. 

•  StartName:  Name  of  the  starting  location,  either  an  atom  or  string  corresponding  to  one  of 
the  LocationName’s  in  Locations. 

•  Relation:  the  transition  relation  5-tuple  list:  [[F,Sigma, CCL, Resets, T]  ,.. .]  where: 

—  F,T  :  location  names  (atoms  or  strings  from  Locations  tuples). 

“  Sigma  :  action  (e.g.,  a,b  =  inputs,  a.,b_  =  outputs,  t  =  tau). 

-  CCL  :  sorted  Clock  Constraint  List. 

-  Resets  :  a  sorted  list  (set)  of  clock  names  to  reset. 

TSA  clock  constraints  are  specified  using  non-negative  integers,  but  TSA  clocks  are  real¬ 
valued  and  TSA  model  system  behavior  over  the  positive  real  valued  n-dimensional  continuum  (for 
an  n-clock  TSA). 

The  tsa/2  predicate  shown  in  Figure  15  defines  a  4-location  inverter  TSA  with  minimum 
(MinD)  and  maximum  (MaxD)  time  delays  on  its  response  to  input  events.  The  inverter  clockname 
is  k.  Inverter  locations  are  invOO,  invOl,  invlO,  and  invll  specifying  the  value  of  the  input 
and  outputs  in  each  of  the  4  locations.  Possible  initial  locations  are  invOl  and  invlO  (inverter’s 
stable  locations) .  A  stable  location  is  a  location  from  which  no  output  or  internal  action  transition 
is  defined.  The  inverter  input  label  is  a,  and  its  output  is  labeled  b«. 


100 


tsa( [Inv,MinD,MaxD] , 

[[[invOO, [[k,leq,MaxD]]] , [invOl, []] , [invlO, []] , [invll, [[k,leq,MaxD]]]] , 
Inv, 

[ [invOO , a ,  [ [k , 1 , MinD] ] , [] , invlO] , 

[invOO,b_, [[k,geq,MinD]] , [] ,  invOl] , 

[inv01,a,  [], [k] , invll] , 

[invlO ,  a ,  []  ,  [k]  ,  invOO]  , 

[invll, a,  [[k,l,MinD]] , [] , invOl] , 

[invll, b., [[k,geq, MinD]] ,[] ,  invlO]]]) 
member (Inv, [invOl, invlO] ) . 


Figure  15.  TLCS  Inertial  Inverter. 


Given  the  inverter  definition  in  Figure  15,  the  Prolog  query  tsa([inv01,2,3]  ,X) .  returns 
the  three-tuple  TSA: 

X=  [[[invOO, [[c,leq,3]]] ,  [invOl, []],  [invlO, []],  [invll , [[c,leq,3]]]  ] , 
invOl, 

[[invOO, a, [[c,l,2]] , [] , invlO] ,  [invOO, b_, [[c,geq,2]] , [] , invOl] , 

[invOl, a, [] , [c] , invll] ,  [invlO, a, [] , [c] , invOO] , 

[invll, a, [[c,l,2]] , [] , invOl] ,  [invll,b_, [[c,geq,2]] , [] , invlO]  ]] 


5.4-2  TLCS  Parallel  Composition.  TLCS  also  parallel  composes  TSA  to  generate  mod¬ 
els  of  more  complex  systems.  EBNF  productions  in  Def.  36  define  the  syntax  of  TLCS  parallel 
composition  queries.  These  productions  rely  on  those  productions  already  specified  in  Def.  35. 

Definition  36.  TLCS  Parallel  Composition  Query. 

ParalleLTSA-Composition  para]]e](TSAList, Hidden, PTSA) 

ActionPair [NewActioiiyOldAction] 

Hidden  ::=  []  |  [VisibleAction  VisibleAction}*] 

New  Action  ::=  VisibleAction 

OldAction  VisibleAction 

PTSA  ::=  [Locations, StartNamejRelation] 

Henames  ::=  []  |  [ActionPair  ActionPair}*] 

TSAId  TSAName  \  Tsa 

TSAList  ::=  [[TSAId, Renames]  |,  [TSAId,Renames]]*] 

The  query  parallel  (TSAList , Hidden, PTSA)  parallel  composes  together  the  TSA  in  TSAList 
where: 


•  TSAList  is  the  input  list  of  TSA  names  or  definitions  and  renaming  tuples  For  example,  the 
list  [[tsal,  [[newsigl,oldsigl]  ,...]]...]  renames  t sal’s  labels  oldsigi  to  newsigj. 
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•  Hidden  is  the  input  list  of  uncomplemented  (no  trailing  underscores)  actions;  parallel/3  gen¬ 
erates  taus  according  to  the  actions  in  the  list  Hidden.  The  generated  taus  hide  internal 
actions  of  the  parallel  TSA  so  that  they  are  not  available  for  interaction  with  TSA  outside 
of  the  parallel  composition  (i.e.,  hidden  actions  make  the  parallel  TSA  a  black  box  that  can 
only  be  accessed  using  its  unhidden  actions). 

•  PTSA  is  the  returned  three-tuple  TSA,  the  location  names  are  vectors  of  location  names  from 
the  component  location  names  unless  the  query  “state^vectors.”  is  executed  to  toggle 
TLCS  to  use  abbreviated  location  names. 

For  example,  the  query: 

parallel ( [ [ [andOOO , 1 , 2] , [ [ab , c] ] ] , 

[[inv01,l,2] , [[ab,a] , [c,b]]]] , 

[ab]  , 

Nand) . 

returns  3-tuple  TSA  Nand,  which  is  the  parallel  composition  of  TSA  andOOO  with  minimum  and 
maximum  delay  1  and  2  and  TSA  invOl  also  with  minimum  and  maximum  delay  1  and  2.  Renaming 
andOOO’s  c  output  to  ab  and  invOl’s  a  input  to  ab  connects  them  and  names  Hand’s  internal  signal 
ab.  Since  ab  is  restricted,  it  will  appear  in  TLCS  traces  as  t  (ab) .  Hand’s  output  is  c_,  accomplished 
by  renaming  the  inverter’s  b  output  to  c. 

Parallel/3  generates  the  reachable  location  space  by  starting  from  the  initial  location  of  each 
subcomponent  and  generating  transitions  and  new  to-locations  according  to  the  TSA  parallel  com¬ 
position  rules  defined  in  Def.  18  on  page  45.  Parallel/3  stops  generating  transitions  and  to-locations 
when  no  new  transitions  are  possible.  Parallel/3  generates  the  reachable  location  space  with  regard 
to  the  cooperating  actions  of  the  TSA  being  composed,  but  it  does  not  eliminate  location  combina¬ 
tions  that  might  actually  be  unreachable  because  of  impossible  clock  combinations.  Even  though 
parallel/3  generates  temporally  impossible  location  combinations,  only  timed  states  reachable  under 
the  given  clock  conditions  are  examined  by  tlc/6. 
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54-3  TLC  Query.  Given  the  Section  5.4.1  inverter  TSA,  the  TLCS  command-line  entry 

“tsa([inv01,2,3]  ,X)  ,tsa([invl0,2,3]  ,Y)  ,tlc(X,Y)  returns  yes  because  even  though  the 

TSA  X  and  Y  do  not  have  the  same  initial  location  names,  their  behavior  is  identical.  This  means 

that  X  is  an  acceptable  implementation  of  Y.  Since  they  are  identical,  Y  is  also  an  acceptable 

implementation  of  X,  and  the  query  “tsa(Cinv01,2,3]  ,X)  ,tsa([invl0,2,3]  ,Y)  ,tlc(Y,X) also 

returns  yes.  However,  the  query  “tsa([inv01,2,4]  ,X)  ,tsa([inv01,2,3]  ,Y)  ,tlc(X,Y)  fails 

returning  the  diagnostic  information: 

The  first  deficiency  discovered  was: 

I : invOO 
S : invOO 

T:[[[kO,  3,  3],  [kl,  3,  3]],  [[kO,  kl]]] 

Prob: [delta,  s]  P#:26  M#:27 

Where  possible  Imp  Actions  axe:  [b_] 

and  possible  Spec  Actions  are:  [b_] 

and  future  Imp  outputs  are  not  matched  by  the  Spec. 

In  this  case,  both  the  implementation  and  specification  are  in  location  invOO;  the  time  region 
T=[[[kO,  3,  3],  [kl,  3,  3]],  [[kO,  kl]]]  where  both  clocks  kO  and  kl  are  at  time  3  (i.e., 
CV=  [  [kO ,  3 ,  3]  ,  [kl ,  3 ,  3] ] ),  and  their  fractional  parts  are  equal  (kO,  and  kl  are  in  the  same 
partition  element  CC=[[kO,  kl]]);  the  problem  (Prob)  is  with  time  progressing  (delta)  in  the 
specification  (s);  the  parent  timed  state  is  #26  and  this  timed  state  is  #27.  The  problem  is  that 
time  cannot  progress  any  more  in  the  specification  location  invOO,  but  implementation  location 
invOO  can  continue  producing  future  b_  outputs.  Hence,  implementation  b_  outputs  are  not  a  timed 
subset  of  the  specification  b«  outputs,  and  TLC  fails  to  hold. 

The  subsequent  query  “trace_to.”  returns  the  trace 
=a=4=b.=a=6==> 

After  inputting  an  a,  passing  through  4  time  regions,  outputting  a  b«,  inputting  another  a,  and 
passing  through  6  more  time  regions  TLCS  arrives  at  the  divergent  timed  states.  The  query 
“compar ejst at es( invOO, invOO)  returns: 

IInv:[[kO,  leq,  4]] 
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A:aG:[[kO,  1,  2]]  R: []  I_:invlO 
A:b_  G:[[kO,  geq,  2]]  R: []  I_:inv01 

SIiiv:[[kl,  leq,  3]] 

A:a  G:C[kl,  1,  2]]  R: []  S_:invlO 
A:b_  G:[[kl,  geq,  2]]  R: []  S_:inv01 

This  information  includes  the  implementation  location  invariant  and  possible  implementation 
transitions  and  the  specification  location  invariant  and  possible  specification  transitions.  In  this 
case  the  implementation  invariant  Ilnv:  [[k0,leq,4]]  is  looser  than  the  specification  invariant 
SInv:  [[kl, leq, 3]],  leading  to  the  non-TLC-satisfying  behavior. 

TLCS  distribution  includes  files  that  define  the  basic  monotonic  and  inertial  gate-level  prim¬ 
itives.  There  are  also  files  defining  procedures  that  simulate  TSA  (simulate  (TSA)),  pretty-print 
TSA  (pp.tsa(TSA)),  and  print  CCS  agents  from  TSA  (ccs.agent(StateNamePref  ix,TSA)).  TLCS 
is  available  via  email  to  f.c. youngQieee.org.  TLCS  runs  on  the  public  domain  SWI-Prolog  avail¬ 
able  via  anonymous  FTP  from  Jan  Wilemaker  at  ftp.swi.psy.uva.nl/pub/SWI-Prolog. 

5. 5  Summary 

This  chapter  describes  the  Prolog  Timed  Logic  Conformance  System  (TLCS).  After  present¬ 
ing  some  background  information,  it  describes  the  finite  automata  induced  from  Timed  Safety 
Automata  (TSA)  called  region  automata.  After  describing  the  TLCS  region  automata  time  repre¬ 
sentation,  the  chapter  describes  the  TLCS  Prolog  rules  and  procedures  that  efficiently  implement 
the  TLC  decision  procedure.  Finally,  it  concludes  with  a  description  of  the  TLCS  TSA  input  for¬ 
mat,  TLCS  TSA  parallel  composition,  and  the  TLCS  user  interface.  The  final  section  includes  TSA 
syntax  for  TSA  definitions  and  parallel  composition,  and  it  explains  example  debugging  information 
available  when  TLC  properties  are  not  satisfied  between  two  systems. 
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VI.  Application 


This  chapter  is  devoted  to  showing  the  utility  of  the  Timed  Logic  Conformance  (TLC)  relationship 
for  systems  engineering  and  verification.  It  describes  system  models  and  explains  the  results  of 
TLC  verifications  at  several  different  levels  of  abstraction. 

The  flexible  time  and  behavior  modeling  capabilities  of  Timed  Safety  Automata  (TSA)  make 
it  possible  to  express  the  relationship  between  time  passing  and  behavior  at  many  different  levels 
of  abstraction.  Virtually  any  other  discrete  state-based  modeling  formalism  can  be  mapped  into 
TSA,  including  all  untimed  finite  state  machine  models,  timed  event  graphs  (HB94),  and  timed 
CCS.  Such  a  flexible  modeling  formalism  makes  it  easy  to  model  different  kinds  of  behavior,  but 
designers  should  constrain  themselves  to  specific  canonical  forms  for  modeling  behavior  so  that  the 
semantics  of  the  models  can  be  uniformly  understood  and  results  can  be  applied  in  meaningful 
ways.  The  next  few  sections  discuss  using  TSA  and  Time  Logic  Conformance  System  (TLCS)  to 
canonically  model  and  verify  hardware  systems  at  three  different  levels  of  abstraction. 

6. 1  Gate-level  Models 

Logic  gates  are  the  primitives  in  a  gate-level  hardware  model.  Typically  a  logic  gate  discretely 
models  the  behavior  of  several  interconnected  transistors  by  abstracting  real-valued  voltage  levels 
into  the  binary  values  zero  and  one.  In  practice  designers  use  tools  like  SPICE  to  analyze  component 
models  below  the  gate-level  (e.g.,  individual  transistors)  because  of  their  bi-directional  current  flows 
and  continuous  electro-magnetic  properties. 

6.1.1  Canonical  Gate- Level  Models.  This  section  focuses  on  two  canonical  forms  for 
modeling  gates  that  conform  to  the  Definition  30  modeling  constraints.  The  first  form  is  called 
monotonic;  a  monotonic  gate  model  reflects  every  possible  output  change  that  can  occur  from  all 
unstable  locations.  An  unstable  location  is  a  location  where  a  TSA  may  generate  an  output 
or  internal  event.  Consequently,  a  stable  location  is  a  location  where  no  output  or  internal  events 
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are  possible.  In  contrast  to  the  monotonic  gate  model,  an  inertial  gate  model  might  not  reflect  an 
output  change  from  an  unstable  location.  An  inertial  gate  model  output  event  is  “canceled”  when 
the  time  separation  between  two  input  events  is  small  enough  (i.e.,  two  events  occur  on  the  same 
input  with  less  than  a  minimum  delay  between  them)  and  the  model  returns  to  a  stable  location 
before  generating  the  output  event.  Monotonic  semantics  are  the  standard  for  untimed  gate  models. 
In  timed  systems,  inertial  models  support  higher  fidelity  modeling,  as  shown  in  Section  6.1.2. 

Inertial-delay  semantics  are  commonly  used  in  hardware  simulations,  and  they  are  the  default 
signal  assignment  semantics  of  the  Very  High  Speed  Integrated  Circuit  (VHSIC)  Hardware  Descrip¬ 
tion  Language  (VHDL).  Although  inertial  delay  models  can  make  simulations  more  efficient,  they 
can  also  hide  defects  in  systems  if  not  used  correctly.  In  TLCS,  as  shown  in  the  following  examples, 
inertial  gate  models  model  unstable-location  dependencies  that  are  important  to  investigate  for 
proper  implementation  behavior.  Since  the  inertial  delay  gates  model  hardware  characteristics  in 
more  detail  than  monotonic  gates,  inertial  gates  are  used  in  most  of  the  following  hardware  ex¬ 
amples.  Inertial  delays  are  modeled  with  minimum  and  maximum  bounds,  not  just  a  single  delay 
value,  further  enriching  the  model’s  fidelity  in  accordance  with  accepted  practice  (BS91,  Bur92). 

The  next  section  examines  some  simple  TSA  models  of  hardware  primitives  that  can  be  used 
to  build  larger  systems  by  parallel  composition.  It  also  examines  a  simple  abstract  specification 
and  the  results  of  comparing  implementations  against  specifications. 

6.1.2  Inverters,  Ands,  and  Nands.  The  simplest  hardware  device  modeled  in  this  research 
is  an  Inverter.  Figure  16  displays  the  logic  symbol  and  the  TSA  defining  the  behavior  of  a  monotonic 
Inverter.  The  /nverter clock  name  is  k.  In  the  figure,  black  triangles  (►)  touch  stable  TSA  locations, 
and  unstable  locations  have  no  triangles.  Note  that  the  Inverter  can  be  configured  to  start  in  either 
stable  location.  Inverter  locations  are  labeled  with  the  two-digit  binary  codes  indicating  the  values 
of  the  Inverter  input  and  output  in  that  location.  The  Inverter  is  monotonic  because  after  entering 
an  unstable  location  (i.e.,  locations  00  or  11),  inputs  that  would  return  the  device  to  a  stable 
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location  (called  stabilizing  inputs)  are  not  allowed,  and  an  output  event  will  occur.  Only  those 
actions  explicitly  specified  as  TSA  transitions  are  possible.  In  parallel  compositions  attempted 
inputs  to  the  inverter  while  in  locations  11  and  00  violate  the  Cl-free  property. 


Figure  17  is  another  TSA  defining  the  behavior  of  a  inertial  Inverter.  Figure  17  is  identical  to 
the  TSA  in  Figure  16,  except  that  it  includes  two  additional  transitions  from  the  unstable  locations 
that  model  input  changes  occurring  before  the  output  actions.  Hence,  a  spike  on  the  a  input  to 
the  inertial  Inverter  may  occur  and  not  generate  a  b_  output  action;  this  Inverter  has  inertial-delay 
semantics  during  the  interval  [0,MinD).  In  practice,  it  might  be  the  case  that  an  even  smaller 
inertial  time  period,  and  not  the  whole  time  interval  [0,MinD)  would  be  better  for  high  fidelity 
modeling  because  it  models  the  inertial  and  unreliable  states  of  a  circuit  explicitly.  Such  a  model 
can  be  accommodated  by  adding  another  timing  parameter  to  the  TSA.  For  simplicity,  and  in 
agreement  with  the  general  bi-bounded  delay  model  (BS91,  Bur92)  used  in  all  of  the  related  work, 
more  detailed  models  are  not  described  here. 
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The  next  simple  hardware  primitive  is  a  two-input  And,  Figure  18  depicts  the  logic  symbol 
and  the  TSA  defining  the  behavior  of  an  inertial  two-input  And.  In  unstable  locations,  until  the 
minimum  delay  has  passed,  stabilizing  inputs  can  occur,  so  the  gate  has  inertial-delay  semantics 
during  the  interval  [0,MinD).  In  this  model,  locations  are  labeled  with  three-digit  binary  codes 
indicating  the  values  of  the  AncPs  two  inputs  and  output  in  that  location.  For  example,  the  location 
101  is  an  unstable  location,  where  input  a  is  asserted,  and  input  b  is  de-asserted,  and  output  c_ 
is  asserted.  Note  that  all  eight  possible  combinations  of  three  boolean  variables  are  represented, 
so  the  model  is  at  a  detailed  level  of  abstraction.  Also  note  that  every  TSA  input  action  from  a 
stable  to  unstable  location  resets  k  and  that  every  unstable  location  has  the  invariant  k  <  MaxD 
for  some  integral  delay  MaxD.  And  can  start  from  any  stable  location. 


Figure  18.  Two-Input  And  Logic  Symbol  and  TSA. 


Figure  19  depicts  the  logic  symbol  and  Timed  Safety  Automata  (TSA)  defining  the  behavior 
of  an  inertial  two-input  Nand.  A  Nand  is  very  similar  to  an  And,  except  for  the  fact  that  the 
And  stable/unstable  locations  are  swapped  to  Nand  unstable/stable  locations.  Hence,  the  loca¬ 
tion  invariants  are  swapped  from  the  unstable  and-locations  to  the  unstable  nand-locations,  and 
transitions  are  reversed. 
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Figure  19.  Two-Input  Nand  Logic  Symbol  and  TSA, 


One  of  the  simplest  And  implementations  is  to  couple  a  Nand  and  Inverter  together  as  shown 
in  Figure  20.  Figure  21  is  the  TLCS  definition  of  a  Nand  and  Inverter  composed  in  parallel.  The 
nandOOl  c_  output  is  renamed  to  mid.,  and  the  Inverter  a  input  is  renamed  to  mid,  and  the  Inverter 
output  b_  is  renamed  to  c.  to  match  the  action  labels  of  the  2-input  And  in  Figure  18,  and  the 
resulting  mid_  action  is  hidden,  changing  it  to  a  r(mid.). 


a 

'N 

mid 

b 

Figure  20.  Nand/Inverter  And  Implementation  Circuit  Diagram. 


parallel([[[nand001,NandMin,NandMax] , [[mid,c]]] , 

[[invlO,InvMin,InvMax] , [[mid, a]  , [c,b]]]] , 
[mid]  , 

PAnd) 


Figure  21.  Parallel  Nand  and  Inverter  And  Implementation. 


Depending  on  the  timing  of  the  gates,  this  parallel  And  is  an  acceptable  implementation  of  the 
And  “specification”  in  Figure  18.  Comparing  the  timing  relationships  TLC  accepts  is  interesting. 
Generally,  given  Ands  minimum  and  maximum  delays  AndMin  and  AndMax,  one  expects  that  the 
timing  relationship  is  satisfied  whenever  NandMin  -{-  InvMin  >  AndMin  and  NandMax  H-  InvMax 
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<  AndMax.  That  is  the  case  when  monotonic  gates  are  used,  but  that  is  not  the  case  with  inertial 
gates!  With  inertial  gate  models,  the  parallel-and  implementation  can  output  a  c_  earlier  than  the 
And  specification  allows  when  NandMin  +  InvMin  =  AndMin. 


For  example,  assume  that  the  Nand  and  Inverter  minimum  and  maximum  delays  are  1  and 
2  time  units,  and  that  the  And  specification  minimum  and  maximum  delays  are  2  and  4  time 
units  respectively.  Imagine  the  implementation  and  specification  inputs  wired  in  parallel  together 
as  diagrammed  in  Figure  22,  and  refer  to  the  timing  diagram  in  Figure  23  during  the  following 
discussion. 


Figure  22.  And  Implementation  and  Specification  in  Parallel. 


TO  1  2  3  4 


Let  T  be  the  point  of  reference  for  time  passing,  and  let  T  =  0  just  when  the  last  input  is 
asserted  from  0  to  1.  Then  at  T  =  1.5  the  TSA  can  be  in  locations  implementation:[nandlll, 
invlO],  and  specification:andllO,  where  both  the  implementation  and  specification  are  in  unstable 
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locations.  Then,  T(mid.)  de-asserts  (changes  from  1  to  0)  and  moves  the  TSA  to  locations  im- 
plementation:[nandllO,  invOO],  and  specification:andllO  where  only  the  Nand  TSA  is  in  a  stable 
location.  If  another  a  input  occurs  at  T  =  1.75,  before  the  And  can  assert  its  output,  then  the 
And  specification  stabilizes  in  state  andOlO,  and  the  Nand  destabilizes  to  nandOlO.  Eventually,  if 
no  more  inputs  occur  before  T  =  3.75,  the  Nand  will  assert  T(mid.)and  stabilize  in  state  nandOll. 
Until  the  Nand  stabilizes,  the  Inverter  is  still  unstable  in  state  invOO,  and  it  can  generate  a  c_ 
output  for  T  6  [2.5, 3.5].  The  specification  cannot  generate  this  c_  output.  This  difference  between 
the  specification  and  implementation  outputs  is  highlighted  by  the  shaded  area  in  Figure  23.  If, 
however,  timing  parameters  are  changed  such  that  the  specification’s  minimum  delay  (AndMin)  is 
1  time  unit  or  less,  and  its  maximum  delay  is  4  or  more,  and  the  nand  and  Inverter  delays  are 
bounded  by  1  and  2  time  units,  TLC  is  satisfied  because  the  implementation  cannot  then  produce 
any  outputs  outside  the  time  bounds  allowed  by  the  specification. 

In  general,  for  inertial  gates  with  non-zero  gate  delays,  given  that  PMin  =  NandMin  +  InvMin 
and  PMax  =  NandMax  +  InvMax,  TLC  holds  whenever  PMin  >  AndMin  A  PMax  <  AndMax  A 
AndMin  <  NandMin.  Note  for  example  that  a  Nand  with  delays  in  [2,3]  and  /nverter  with  delays 
in  [1,2]  satisfies  an  And  specification  with  delays  in  [2,6],  but  switching  the  delays— i.e.,  Nand: 
[1, 2]  and  Inverter.  [2, 3],  fails  TLC  with  the  And  delay  [2, 4]  because  the  unstable  Inverter  can  still 
assert  c_  earlier  than  allowed  by  the  specification  as  shown  above. 

Verification  results  are  very  dependent  on  the  models  chosen  as  illustrated  in  this  example.  In 
particular,  TLC  verification  results  are  different  for  the  monotonic  and  inertial  gate  models.  Some 
of  the  most  difficult  errors  to  track  down  in  hardware  devices  are  those  associated  with  unstable 
states;  since  it  is  important  to  create  designs  that  do  not  suffer  from  obscure  defects  like  this, 
inertial  gate  models  are  used  for  this  research. 

6.1.3  Gate-Level  Model  Summary.  The  previous  section  described  two  different  types  of 
gate-level  models:  monotonic  and  inertial.  In  unstable  states,  monotonic  gates  do  not  allow  any 
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stabilizing  inputs  and  always  reflect  the  pending  output  or  internal  action.  In  contrast,  inertial 
gates  allow  stabilizing  inputs  in  the  interval  [O.MinD)  after  the  gate  entered  the  unstable  state. 
These  stabilizing  inputs  cancel  the  pending  internal  and  output  actions  from  those  unstable  states 
and  more  accurately  model  the  behavior  of  real  gates.  The  more  detailed  inertial  models  are  better 
suited  for  discovering  and  correcting  obscure  timing  defects.  Although  even  more  detailed  models 
are  possible,  the  inertial  gates  are  accurate  enough  to  find  real  problems  and  simple  enough  to 
support  efficient  computation  of  the  TLC  relation. 

6.2  Asynchronous  Hardware  Components 

Many  hardware  designers  may  believe  that  “faster  implementations  are  always  better,”  but, 
for  many  low-power  and  asynchronous  designs,  speciflcation  minimum  delays  must  be  verified  as 
well.  In  the  case  of  the  Nand-  Inverter  and  And  implementation  example  from  Section  6.1.2,  the  de¬ 
vice  to  which  the  And  output  is  connected  will  likely  be  sensitive  to  the  Nand-Inverter^s  unexpected 
output,  so  designers  must  ensure  that  the  implementation’s  outputs  are  a  timed  subset  of  the  speci¬ 
fication  as  checked  by  TLCS.  Unstable-location  outputs  like  those  from  location  [nand010,inv00]  are 
very  dfficult  to  anticipate  and  test  for  in  actual  circuits;  hence,  the  utility  of  the  TLC  relation  and 
decision  process  to  root  out  inconsistencies  between  specifications  and  implenientations.  The  ability 
to  richly  model  timing  dependencies  like  this  is  especially  important  for  hardware  engineers  working 
with  high-performance  synchronous  and  asynchronous  designs.  However,  since  protocol-dependent 
asynchronous  design  allows  more  variations  and  poses  a  more  difficult  verification  challenge,  the 
next  section  focuses  on  commonly  used  asynchronous  components  composed  of  several  gates. 

A  short  discussion  about  hazards  precedes  the  first  asynchronous  hardware  component  ex¬ 
ample.  A  hazard  is  a  problem  associated  with  hardware  circuits. 
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6.2.1  Hazards.  Asynchronous  hardware  engineers  have  used  different  hazard  models  to 
analyze  problems  with  sequential  and  combinational  circuits.  Stevens  formalized  the  following 
assumptions,  hazard  models,  and  hazards  (Ste94): 

Definition  37.  Hazard  Assumptions. 

-  Fundamental  Mode  Assumption  The  environment  is  constrained  to  hold  the  inputs  stable 
long  enough  to  allow  the  changes  to  propagate  through  the  logic,  produce  the  desired  results, 
and  stabilize  internally  before  changing  the  inputs  again. 

-  Isochronous  Fork  Assumption  The  difference  between  delays  on  the  different  sections 
(called  forksj  of  connected  wires  is  insignificant,  hence  the  change  in  value  of  a  wire  is 
propagated  to,  and  reaches,  all  devices  connected  to  that  wire  simultaneously. 

Unlike  untimed  FSM-based  logics,  TSA  models  do  not  constrain  designers  to  adopt  either  of  the 
above  assumptions.  Assumptions  are  specified  in  the  TSA  models  by  their  construction.  For 
example,  a  non-fundamental  mode  TSA  can  be  constructed  by  explicitly  modeling  all  trsmsitions 
from  every  location,  for  all  possible  times,  for  every  possible  input.  Sometimes  designers  might 
desire  to  do  this  and  include  error  states  for  disallowed  input  sequences  or  combinations.  Typically 
however,  this  is  too  tedious,  so  designers  may  abstract  the  behavior  by  leaving  out  disallowed 
inputs,  and  relying  on  TLC  to  tell  them  when  fundamental  mode  assumptions  are  violated. 

The  timed  nature  of  the  TSA  implicitly  specifies  when  fundamental  mode  assumptions  are 
being  made  by  explicitly  declaring  the  times  when  inputs  are  possible.  TLCS  ensures  that  the 
fundamental  mode  assumptions  made  by  a  specification  are  not  violated  by  TLC  satisfying  imple¬ 
mentations,  because  as  soon  as  a  specification  TSA  is  ready  for  input,  the  implementation  TSA 
must  also  be  ready  to  accept  the  same  input.  TSA  are  also  powerful  enough  to  model  isochronous 
and  non-isochronous  systems;  a  non-isochronous  situation  can  be  modeled  by  modeling  each  wire 
segment  of  the  system  as  a  buffer-like  TSA  with  its  own  clock. 


113 


Generally,  the  TSA  used  for  this  research  are  isochronous  and  multiple-input-change  (MIC)- 
capable,  and  they  explicitly  specify  the  fundamental  mode  assumptions  made.  Unfortunately,  the 
rapid  linear  increase  in  the  number  of  clocks,  whether  the  clocks  come  from  the  number  of  devices  or 
from  modeling  wires  as  TSA,  exponentially  explodes  the  number  of  possible  timing  relationships  and 
can  make  it  impractical  to  reason  about  even  small  circuits  with  today’s  computers.  Consequently, 
although  TSA  provide  the  capability  to  model  systems  in  as  much  detail  as  required,  one  must 
always  choose  between  model  fidelity  and  practicality. 

Given  Definition  37,  four  hazard  models  can  be  defined.  A  hazard  model  is  a  set  of  conditions 
that  describes  the  level  of  detail  a  designer  uses  to  analyze  a  design. 

Definition  38.  Hazard  Models. 

-  Delay  Insensitive  (DI)  Model  Both  device  and  wire  delays  are  considered,  no  isochronous 
fork  assumptions  are  made.  This  is  the  most  detailed  and  accurate  model  because  no  timing 
assumptions  apply, 

-  Quasi  Delay  Insensitive  (QDI)  Model  Some  of  the  forked  interconnections  must  he 
isochronous  for  circuits  to  be  hazard-free.  This  model  makes  timing  assumptions  about  some 
of  the  wire  forks  in  the  design. 

Speed  Independent  (SI)  Model  All  of  the  forked  interconnects  are  isochronous,  and  in¬ 
terconnect  delays  are  lumped  into  device  delays.  This  model  makes  timing  assumptions  about 
all  wires  in  the  design, 

-  Burst  Mode  Model  Inputs  and  outputs  are  mutually  exclusive  and  the  device  must  stabilize 
before  subsequent  inputs  arrive.  Hence,  a  burst  mode  compliant  device  will  only  generate  an 
output  after  all  inputs  in  a  given  input  sequence  have  arrived,  and  it  will  not  subsequently 
change  its  output  unless  more  input  changes  occur.  No  new  inputs  are  allowed  until  the  circuit 
has  stabilized.  Burst  mode  is  the  most  abstract  of  the  four  hazard  models,  and  it  can  be  used 
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with  either  DI,  QDI,  or  SI  wire  models,  but  the  burst  mode  model  is  typically  used  with  the 
SI  wire  model. 

Depending  on  the  level  of  detail  included  in  the  TSA  themselves,  all  four  of  the  hazard  models  can 
be  supported  by  TSA.  Modeling  some  (in  the  QDI  case)  or  all  (in  the  DI  case)  wires  as  buffer¬ 
like  TSA  support  the  more  detailed  QDI  and  Delay  Insensitive  hazard  models.  Therefore,  TLCS 
supports  verifying  that  DI,  QDI,  SI,  implementations  and  specifications  are  consistent.  The  SI 
model  is  used  in  this  research  along  with  upper  and  lower  bounded  device  delays  to  accommodate 
some  wire  length,  resistance,  and  capacitance  variations. 

Given  the  above  hazard  models,  five  general  and  three  sequential-circuit  hazards  occur  often 
enough  to  have  special  names  and  definitions. 

Definition  39.  General  Hazards. 

-  Static  Zero  Hazard  A  device  output  should  be  stable  at  zero,  but  it  momentarily  outputs  one 
before  returning  to  zero.  This  is  the  hazard  that  disqualifies  the  Nand/lnverter  implementation 
of  the  And  in  the  example  discussed  in  Section  6.1.2. 

-  Static  One  Hazard  A  device  output  should  be  stable  at  one,  but  it  momentarily  outputs  zero 
before  returning  to  one. 

-  Dynamic  Hazard  A  device  output  is  changing  to  a  new  value,  but  it  changes  to  that  value 
more  than  once  before  stabilizing. 

-  Function  Hazard  A  particular  dynamic  hazard  that  exists  in  a  MIC  circuit  if  and  only  if  an 
output  changes  more  than  once  along  a  minimum  length  path  of  an  input  transition.  Function 
hazards  cannot  be  removed  by  changing  the  circuit  design  (Ste94:56). 

-  Delay  Hazard  A  hazard  that  is  associated  with  devices  having  more  than  one  implicant 
enabling  a  function  output  in  any  location.  Because  of  different  delays  on  the  implicant 
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paths,  after  the  faster  implicant  asserts,  and  before  the  slower  one  asserts,  subsequent  inputs 
destabilize  and  de-assert  the  faster  implicants  before  the  slower  implicant  finally  asserts  the 
output 

General  hazards  may  occur  in  any  circuit,  either  combinational  or  sequential,  but  there  are 
three  hazards  explicitly  defined  for  sequential  circuits  only. 

Definition  40.  Sequential  Hazards. 

-  Essential  hazard  A  hazard  where  the  device  stabilizes  in  a  different  state  after  a  single  event 
than  after  three  consecutive  events  on  the  same  input 

-  Transient  Hazard  A  hazard  that  occurs  from  a  stable  state  when  two  events  on  a  single 
input  return  the  device  to  the  stable  state,  and  there  is  a  static  hazard  on  any  output.  This  is 
caused  by  the  output  logic,  and  not  the  state-holding  logic  of  the  circuit 

-  D-Trio  Hazard  A  hazard  that  occurs  when  from  a  stable  state,  three  input  events  on  a  single 
input  return  the  device  to  the  state  entered  after  the  first  input,  and  there  are  different  outputs 
in  any  of  the  entered  states. 

Given  that  a  specification  disallows  any  of  the  above  hazard  conditions,  and  they  exist  in  an 
implementation,  the  TLC  relation  identifies  those  differences  and  TLCS  reports  the  first  one  it  en¬ 
counters  because  they  all  represent  implementation  outputs  that  are  not  allowed  by  the  specification 
and  TLC  detects  those  errors  via  Formula  23. 

Several  different  hazards  have  been  defined  and  related  to  the  Nand  example  already  pre¬ 
sented.  The  next  section  returns  to  more  models  and  the  application  of  TLC  to  more  complex 
designs. 

6.2.2  C-Elements.  One  commonly  used  asynchronous  circuit  component  is  a  C-element. 
The  C-element  specification  is  a  level  of  abstraction  above  a  gate-level  model.  Table  6  describes 
the  output  of  a  C-element  based  on  its  input  values. 
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Table  6.  C-element  Function. 


Figure  24  is  the  C-element  logic  symbol  and  a  specification  TSA.  The  TSA  definition  allows 
specifying  minimum  feedback  delay  (FB)  in  the  environment  from  a  C-element  output  to  its  next  a 
or  b  input,  and  a  minimum  and  maximum  bound  on  the  C-element’s  output  response  from  the  time 
of  the  last  input.  Positive  FB  explicitly  increases  the  amount  of  time  allowed  for  the  implementation 
to  conform  to  the  fundamental  mode  assumption  of  the  C-element.  Positive  FB  adds  to  the  time 
that  passes  in  locations  XY/X,  YX/X,  and  YY/X  before  the  C-element  specification  returns  to 
location  XX/X  where  it  can  once  again  accept  either  an  a  or  b  input. 


Figure  24.  Two-Input  C-Element  Logic  Symbol  and  TSA  Specification. 


The  C-element  specification  TSA  in  Figure  24  is  not  complete  because  it  omits  the  behavior  of 
the  C-element  when  one  of  its  inputs  changes  value  twice  before  the  other  input  changes.  Since  that 
behavior  is  important  in  the  application  focused  on  in  the  next  section,  the  missing  behavior  must 
be  added  to  the  C-Specification  TSA.  Figure  25  is  the  “wobbly”  C-Specification  TSA  required. 
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Figure  25.  Wobbly  Two-Input  C-Specification  TSA. 

Earlier  Figures  4  and  5  on  pages  43  and  43  depict  a  standard  (but  not  completely  hazard-free) 
way  to  implement  C-elements,  and  the,  corresponding  TLCS  clause  defining  the  parallel  C-element 
implementation. 

Note  that  verifying  this  implementation  of  a  C-element  in  untimed  calculi,  including  Logic 
Conformance,  fails  except  under  the  burst-mode  hazard  model  (Ste94:p64).  Here,  using  TLCS  and 
TSA  capability  to  implicitly  and  explicitly  specify  the  fundamental  and  burst  mode  assumptions 
made  in  the  specification,  and  the  timing  of  both  the  specification  and  implementation  components, 
a  rigorous  timing  analysis  can  be  accomplished.  Which  implementations  will  actually  satisfy  the 
more  detailed  timed  specification  without  generally  adopting  the  burst  mode  model  can  be  deter¬ 
mined.  TLCS  can  verify  when  the  implicit  burst-mode  timing  assumptions  hold.  In  particular,  for 
non-zero  gate  delays,  and  given  that  PMin  =  AndMin  +  OrMin  and  PMax  =  AndMax  -I-  OrMax, 
Table  7  shows  the  delay  value  relationships  and  whether  or  not  TLC  holds  for  the  different  gate 
models.  As  with  the  And  example,  in  unstable  locations  hazards  can  occiur  when  inputs  change 
faster  than  the  minimum  delay  of  the  receiving  component.  Monotonic  gates  succeed  only  with 
explicit  non-zero  feedback  allowances  extending  the  amount  of  time  between  C-element  outputs  and 
the  new  input.  Once  again,  there  is  a  strong  dependency  on  the  relationship  between  the  minimum 
specification  delay  and  the  minimum  delay  of  the  input  receiving  component  in  the  implementation. 
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Table  7.  C-element  Verification  Results. 


FB 

Delay  Relationship 

Gate  Model 

TLC 

PMin  <=  CMin  V  PMax  >  CMax 

Fails! 

FB  =  0 

PMin  >  CMin  A  PMax  <  CMax 

Fails^ 

0  <  AndMax  <  FB 

PMin  >=  CMin  A  PMax  <  CMax 

monotonic 

Holds 

FB  =  0 

PMin  <=  CMin  V  PMax  >  CMax 

inertial 

liaWiaH 

FB  =  0 

AndMin  >  CMin  A  PMax  <  CMax 

inertial 

Holds 

Fails^,  specification  time  bounds  too  tight. 

Fails'^,  Imp  cannot  match  specification  input/output. 

Note  that  monotonic  gates  succeed  only  with  explicit  non-zero  feedback  allowances  extending 
the  amount  of  time  between  C-element  outputs  and  the  new  input.  However,  even  with  FB  =  0, 
inertial  gates  satisfy  TLC  when  AndMin  >  CMin;  once  again,  there  is  a  strong  dependency  on 
the  relationship  between  the  minimum  specification  delay  and  the  minimum  delay  of  the  input 
receiving  component  in  the  implementation. 

Having  described  specifying  and  verifying  C-elements,  the  next  section  discusses  the  next 
level  of  abstraction,  a  component  built  out  of  C-elements. 


6,2.3  STARI  Queue  Stage.  C-elements  can  be  used  in  tandem  to  dual-rail  encode  in¬ 
formation  in  the  stages  of  asynchronous  queues,  FIFO  queue  stages  are  made  from  C-elements 
connected  together  as  shown  in  Figure  26  (TB97).  A  Nor  produces  the  acknowledgment  signal 
ack_m_.  Connecting  k  of  these  queue  stages  together  produces  a  fc-length  queue.  The  A:-length 
queue  is  called  STARI  (Self-Timed  At  Receiver’s  Input).  Table  8  defines  the  dual-rail  encoding 
scheme  used  in  (TB97);  the  t  and  f  _n_  values  of  the  individual  C-elements  determine  the  value 
stored  in  the  queue  stage;  empty  distinguishes  between  a  single  data  item  stored  for  a  long  time 
and  two  consecutive  data  items  of  the  same  value. 

Since  STARI  stages  are  asynchronous,  STARI  supports  connecting  systems  together  that 
have  some  skew  between  the  phases  of  the  sender  and  receiver  clocks.  Generally,  when  queues  are 
longer  more  skew  can  be  tolerated.  Given  that  the  clock-rate  of  the  receiver  is  greater  than  or 
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Figure  26.  STARI  FIFO  Queue  Stage. 
Table  8.  Dual  Rail  Encoding  Scheme. 


equal  to  the  clock-rate  of  the  transmitter,  STARI  could  be  used  to  connect  systems  with  different 
clock  rates,  but  the  receiver  would  have  to  wait  for  the  slower  transmitter  by  watching  for  tJc..  and 
f  _k_  changes.  According  to  (TB97),  correct  queue  operation  depends  on  proving  the  following  two 
properties: 

1.  “Each  data  value  output  by  the  transmitter  must  be  inserted  into  the  FIFO  before  the  next 
one  is  output.”  (i.e.,  the  transmitter  must  not  change  input  values  to  the  queue  until  the  first 
FIFO  stage  acknowledges  receiving  the  input  by  generating  an  ack.0..  event.) 

2.  “A  new  value  must  be  output  by  the  FIFO  before  acknowledgment  from  the  receiver.”  (i.e., 
the  receiver  must  not  generate  an  ack_k»  event  to  the  FIFO  until  it  has  received  the  data 
from  the  last  FIFO  stage.) 

In  (TB97),  they  described  using  the  COSPAN  verification  system  to  verify  STARI  operation 
as  defined  in  Section  2.2.3.  Figure  27  is  the  timed  process  that  the  Berkeley  researchers  use  as  a 
valid  abstraction  of  the  STARI  FIFO  Queue  Stage  shown  earlier  in  Figure  26;  ►’s  indicate  two 
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potential  starting  locations  corresponding  to  an  empty  and  a  full  queue  stage.  The  edges  necessary 
to  satisfy  the  nonblocking  and  stutter  closure  requirements  are  not  in  the  diagram.  This  abstraction 
does  not  explicitly  constrain  the  queue  stage  to  legal  inputs  and  legal  output  sequences;  the  TLCS 
model  includes  these  important  behavioral  constraints. 

The  corresponding  17-location  TSA  is  shown  in  Figure  28.  This  TSA  constrains  the  queue 
stage  to  separate  each  occurrence  of  true  and  false  inputs  with  an  empty  input,  and  it  disallows  the 
illegal  dual-rail  code  as  described  in  the  natural  language  specification.  Note  that  the  inputs  and 
outputs  of  the  queue-stage  are  symbolized  by  the  state  labels.  The  letters  T,  F,  and  E  represent 
true,  false,  and  empty,  and  depict  both  the  value  of  the  inputs  and  output  data  signals;  hence,  the 
label  TE  depicts  the  situation  where  the  stage  inputs  encode  true,  but  its  outputs  encode  empty, 
and  the  queue-stage  is  waiting  on  an  ackm  before  changing  its  output  from  empty  to  true.  The 
binary  labels  encode  the  Boolean  input  and  output  values  (tjn.f  jn,ackji/tji.,f_n_,ackjii_).  The 
queue  stage  timing  parameters  are  [CMin,  CMax,  NorMin,  NorMax],  representing  the  minimum 
and  maximum  bounds  on  the  C-element  and  Nors  used  to  build  the  queue  stage. 

TLCS  confirms  that  gate-level  and  C-Specification-level  FIFO  stage  models  satisfy  the  TLC 
relation  with  STAR!  FIFO  Queue  Stage  specification  when  consistent  timing  parameters  are  used. 
The  gate-level  FIFO  stage  model  has  9  clocks;  TLCS  parallel  composes  six  2-input  Ands,  two 
three-input  Ors,  and  a  single  2-input  Nor  to  create  it.  The  C-Specification-Level  FIFO  stage  model 
has  3  clocks.  TLCS  composes  two  wobbly  C-Specification  models  (Figure  25),  and  a  single  2-input 
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Figure  28.  STAR!  FIFO  Queue  Stage  TSA. 
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acl<Liii_.  k>=NorMin 


Nor  generating  ackjn^  as  shown  in  Figure  26.  Even  though  gate-delays  [1,2]  fail  when  comparing 
C-element  implementations  to  C-Specifications  with  any  delays  in  the  previous  section,  gate-level 
FIFO  stage  verification  succeeds  with  gate-delay  [1,2]  and  C-element  delays  [2,4].  This  is  the  case 
because  the  FIFO  queue  stage  specification  so  constrains  the  C-element  inputs  that  it  does  not  enter 
the  unstable  states  that  cause  the  problem  during  the  C-element/C-Specification  verifications. 

Recognizing  where  worst  case  instability  problems  are  avoided  (like  C-elements  with  gate- 
delay  [1,2]  in  STARI),  and  leveraging  their  absence  to  improve  performance  is  a  key  advantage  to 
using  the  TLC  relation  and  TLCS.  Of  course  this  is  done  while  maintaining  confidence  that  the 
system  is  going  to  work  correctly  under  all  possible  conditions  allowed  by  the  specification. 

Notice  that  designers  do  not  need  to  model  the  environment  and  augment  TLC  verification 
with  an  assumes-guarantees  style  reasoning  process  to  factor  in  the  constraints  imposed  on  the 
environment  for  the  design  to  work.  Instead,  those  constraints  are  built  into  the  specifications,  and 
TLC  ensures  that  those  properties  that  are  dependent  upon  the  input  capabilities  of  the  specification 
hold  in  the  implementation.  This  enables  designers  to  rely  on  TLC  verifications  without  separate 
models  for  the  environment.  TLC  also  allows  implementations  the  freedom  to  accept  inputs  that 
the  specification  does  not  allow.  This  allows  more  design  reuse  and  requires  less  effort  during  the 
verification  and  design  process. 

With  the  accurate  STARI  queue  stage  specification  verified  against  the  implementation  mod¬ 
els  at  two  levels  of  abstraction,  the  next  section  discusses  TLC  verification  at  the  next  level  of 
abstraction — the  entire  queue. 

6.2,4  STARI  Queue  and  Perfect  Buffer.  In  the  other  STARI  queue  verifications  (Gre93, 
BM98,  TB97),  researchers  include  models  of  a  sender  and  receiver  environment  for  the  verifica¬ 
tion.  They  usually  focus  on  verifying  that  STARI  could  be  used  to  communicate  between  two 
synchronous  systems  operating  with  some  clock  skew  between  them.  Figure  29  depicts  the  STARI 
queue  in  its  environment.  Note  that  the  acknowledgment  output  of  the  queue  is  not  connected  to 
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the  transmitter.  Including  the  environment  requires  assumes-guarantees  style  reasoning  and  com¬ 
plicates  the  verification  process.  In  this  configuration,  researchers  were  obliged  to  prove  that  the 
environment  in  conjunction  with  the  queue  behave  correctly  by  observing  the  actions  connecting 
the  sender  to  the  queue  and  queue  to  receiver  with  two  different  queue  models  but  the  samp  sender 
and  receiver  models.  TLC  verification  generalizes  somewhat  by  eliminating  the  sender  and  receiver 
models  and  focusing  on  comparing  the  queue  directly  to  a  specification  of  its  behavior — a  Perfect 
Buffer  (PB). 


Figure  29.  STARI  Environment. 


The  general  problem  is  to  size  the  queue  such  that  it  buffers  the  data  between  the  clock- 
skewed  systems,  allowing  the  transmitter  to  output  and  the  receiver  to  input  a  new  data  value 
every  clock  cycle  without  waiting  for  the  queue  during  “steady-state”  operation  (i.e.,  when  the 
queue  is  about  half  full  (Gre93:p35)).  Note  that  empty  is  considered  a  data  value,  and  that  the 
queue  is  not  required  to  output  the  same  data  it  currently  inputs — i.e.,  the  queue  is  in  fact  buffering 
some  data  internally.  How  fast  the  global  clock  operates,  how  much  skew  is  possible,  and  the  speed 
of  the  queue  components  are  of  course  the  parameters  that  determine  how  many  queue  stages  are 
necessary.  Focusing  on  the  queue  itself  avoids  assumes-guarantees  style  verification  complexity. 

Figure  30  is  an  abstract  view  of  the  PB  TSA  used  to  formalize  queue  requirements.  It  does 
not  explicitly  show  all  of  the  states  that  result  from  the  different  value  sequences  the  queue  can  hold. 
It  abstracts  these  sequences  by  their  length^.  For  example,  the  4-element  string  etef  represents 

^During  the  verification,  queue  behavior  is  verified  for  all  possible  PB  sequences  from  length  n  —  1  to  n  +  1. 


124 


a  PB  holding  the  sequence  of  four  values  [empty,  true,  empty,  false],  where  false  will  be  dequeued 
next,  and  empty  was  the  last  data  item  enqueued. 


Figure  30.  Perfect  Buffer  TSA. 


PB  maintains  an  n-size  queue  of  information.  It  actually  can  hold  either  n,  n  +  1,  orn  -  1 
(for  n  >  1)  values.  For  n  =  2,  the  three  possible  (n  -  l)«length  values  are  f ,  t,  and  e;  the  n-length 
values  are  ef ,  et,  f e,  and  te;  (n  +  l)-length  values  are  ef e,  ete,  fef ,  fet,  tef ,  and  tet.  With 
two  n-length  locations  for  each  n-length  value,  one  (n  -  l)-location  for  each  {n  —  l)-value,  and  two 
(n  +  l)-locations  for  each  (n  -h  l)-value,  there  are  (2  ♦  4)  +  3  +  (2  *  6)  =23  locations  in  the  n  =  2 
PB  TSA.  Following  (BM98,  Gre93),  it  is  sufficient  to  focus  on  the  steady-state  behavior  and  verify 
a  |'A:/2]-size  PB  against  queues  with  k  stages.  Data  inputs  (tO,  fO),  and  acknowledgment  input 
(an)  are  constrained  to  happen  at  least  MT  time  units  after  the  previous  data  and  acknowledgment 
respectively.  Hence,  MT  is  the  parameter  that  specifies  the  time  separation  between  inputs,  or  the 
inverse  of  the  maximum  frequency  of  the  clock.  The  time  of  the  last  data  and  acknowledgment 
events  are  independently  tracked  by  separate  clocks  cd  and  ca.  After  receiving  an,  PB  will  output 
tn_/f  n_  in  the  time  interval  [OMin,OMax]  after  an.  OMin  and  OMax  specify  the  time  delay  allowed 
for  the  queue  to  update  its  output  after  receiving  an  acknowledgment.  Generally,  OMin  <  CMin, 


125 


and  OMax  <  MT-X,  where  X  is  the  sum  of  the  Receiver’s  setup,  hold,  and  acknowledgment 
generation  delays,  satisfy  the  PB  specification. 

Table  9  defines  PB  data  input  and  output.  Possible  data  input  actions  are  determined  by  the 
values  of  the  leftmost  (g(l))  value  in  the  queue  in  accordance  with  the  requirements  to  separate 
true  and  false  values  by  empty.  Data  output  actions  are  determined  by  the  the  (g(n))  and 
(n  {q{n  -  1))  queue  values  where  q{n  -  1)  is  a  don’t  care.  When  PB  holds  n  values,  it 
can  either  input  or  output  a  value.  When  it  holds  n  -  1  values,  it  can  not  output  data,  but  it  can 
input.  When  it  holds  n  +  1  values,  it  can  not  input  data,  but  it  will  output.  The  last  (right-most) 
value  in  the  queue  symbolizes  the  value  that  the  queue  is  currently  outputting.  Input  actions  tO/f  0 
and  an  are  constrained  to  happen  within  Skew  time  units  of  each  other. 


Table  9.  Perfect  Buffer  Input  and  Output. 
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f 

e 
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PB  specifies  that  no  outputs  will  occur  when  Skew  input  timing  constraints  are  not  met. 
In  location  [pb,n  —  1],  when  late  inputs  occur  (data  arrives  more  than  Skew  time  units  after 
acknowledgment),  time  continues  to  progress  but  no  actions  are  possible.  All  legal  inputs  when 
Skew  <  OMin  are  verified  following  the  tO/fO  transition  from  location  [pbu,n].  When  OMin  < 
Skew  <  OMax,  data  inputs  from  [pb,n  1]  are  disallowed  for  ca  >  Skew;  these  are  also  late  inputs. 
Finally  when  Skew  >  OMax,  all  inputs  in  location  [pb,n  -  1]  are  allowed;  therefore,  TLCS  verifies 
that  the  queue  is  consistent  with  PB  for  all  valid  time-constraint-satisfying  inputs. 

Since  the  STAR!  queue  acknowledgment  output  is  not  connected  to  the  transmitter,  the 
ack_0_  of  the  first  STARI  queue  stage  is  hidden  (i.e.,  it  becomes  an  internal  T(ack..O.))  to  compare 
queue  implementations  to  PB. 
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Table  10  summarizes  the  STARI  versus  PB  verification  results  for  different  numbers  of  stages 
while  varying  Skew  and  maximum/minimum  time  (MT)  separation.  It  shows  the  MT  required 
for  both  the  Abstract  fifo-spec-based  queue  model  (MT-A)  and  the  Intermediate  C-element-based 
and  Nor-hased  queue  model  (MT-I)  for  TLCS  verifications  to  fail/succeed  with  two  to  four  queue 
stages  and  Skews  ranging  from  two  to  six  time  units.  OMin  and  OMax  are  tightly  constrained 
to  the  same  bounds  as  the  C-element  (i.e.,  data  output  must  occur  one  to  two  time  units  after 
the  acknowledgment  input).  In  row  7  the  “?”  indicates  that  TLCS  aborts  because  it  ran  out 
of  global  stack  while  computing  TLC  on  a  four-stage  queue  intermediate-level  model  for  MT=8; 
hence  there  is  no  data  for  this  or  subsequent  intermediate  level  TLC  verifications.  Verification 
of  a  gate-level  queue  against  PB  are  not  shown  because  parallel  composition  of  a  two-stage  gate- 
level  queue  (eighteen  gates)  in  TLCS  aborts  because  of  stack  limitations  of  the  current  parallel 
composition  implementation.  Single-stage  gate-level  queue  verifications  succeed  consistently  with 
intermediate-level  and  abstract-level  verifications. 


Table  10.  STARI  o::^fPB  Results:  Varying  Skew  &  MT. 
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6 
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?:SWI-Prolog  out  of  memory 

Note  that  for  all  verifications,  the  more  abstract  model  is  never  optimistic  about  the  results. 
In  these  verifications,  the  more  abstract  queue  implementation  (MT-A  column)  requires  the  same, 
or  longer  MT  than  the  less  abstract  queue  implementation  (MT-I  column)  requires  to  model  the 
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same  perfect-buffer  specification.  Generally,  increasing  the  Skew  while  holding  the  number  of  queue 
stages  static  forces  lowering  the  input  frequency  (MT  increases).  With  Skews  of  four,  five,  and  six 
the  performance  of  the  three-stage  queue  is  better  than  the  four-stage  queue!  This  result  runs 
counter  to  the  intuition  that  longer  queues  will  always  allow  more  skew — it  depends  on  how  tight 
the  timing  constraints  are.  Note  that  adding  an  extra  queue  stage  improves  the  frequency  for  one 
Skew  i.e.,  three  abstract  queue  stages  with  Skew  two  requires  MT=9  to  model  PB  (row  2),  and 
with  four  abstract  queue  stages,  MT=8  models  PB  (rows  3  and  7),  but  for  the  rest  (e.g.,  Skew 
three  requires  MT=9  to  model  PB  for  both  three-stage  and  four-stage  queues)  more  queue  stages 
do  not  help.  This  is  because  as  queue  length  increases,  there  is  a  longer  delay  for  a  newly  inserted 
datum  to  move  through  the  queue,  and  under  certain  conditions,  the  new  datum  does  not  reach 
the  last  queue  element  in  time  to  satisfy  PB  output  constraints  because  OMax  is  too  tight.  This  is 
precisely  why  with  Skews  of  four,  five,  ^d  six  the  performance  of  the  three-stage  queue  is  better 
than  the  four-stage  queue  under  the  tight  OMax  constraint. 

Table  11  shows  fifo-spec-level  STAR!  verification  results  while  holding  MT=12  time  units 
and  Skew  at  two  time  units  while  varying  OMax  for  two  different  sets  of  bi-bounded  delays.  This 
reports  which  implementations  satisfy  a  static  period  and  clock  skew.  A  “Y”  in  columns  two  to 
four  means  that  TLC  is  satisfied  between  the  STAR!  queue  and  PB,  a  “N”  means  that  TLC  is 
not  satisfied,  and  a  means  that  the  current  TLCS  implementation  exceeded  memory  limits 
before  completing  the  computation.  Column  two  reports  some  TLCS  UltraSparc  One  performance 
statistics  for  the  Min/Max  =  1/2  verifications.  These  results  are  comparable  to  those  in  (TB97) 
and  (BM98). 

In  Table  11,  column  two,  a  STAR!  queue  implementation  in  steady  state  with  gate-delays 
and  C-element-delays  in  [1,2]  will  always  accept  inputs  and  produce  outputs  without  delaying  the 
transmitter  or  receiver  as  long  as  the  inputs  and  outputs  occur  twelve  or  more  time  units  after  the 
previous  input  and  output  and  within  two  time  units  of  each  other  as  is  shown  in  (TB97).  Tasiran 
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Table  11.  STARIo::^iPB  Results:  Varying  Imp  Delays  &  #  Stages. 
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and  Brayton  were  able  to  verify  the  behavior  of  an  eight-stage  queue  with  their  less  detailed  data 
model,  while  the  current  TLCS  implementation  is  limited  to  six  stages.  The  TLCS  verification 
includes  checking  that  the  sequence  of  correctly  encoded  values  input  to  the  queue  are  output 
correctly,  and  the  TLC  verification  methodology  needs  no  extra  assumes-guarantees  proofs. 

The  results  in  Table  11,  columns  three  and  four,  are  generally  consistent  with  those  in  (BM98). 
They  use  a  less  detailed  discretized  intermediate-level  queue  model  with  timing  delays  CMin  = 
NorMin  =  2,  CMax  =  NorMax  =  4,  and  they  claim  that  their  STAR!  queue  simulates  the  behavior 
of  their  ideal  buffer  for  a  clock  period  of  twelve  time  units,  and  a  Skew  of  two  time  units  with  from 
one  to  eighteen  stages,  and  they  have  successfully  verified  up  to  five  stages  in  a  discretization  fine 
enough  to  be  equivalent  to  a  dense  model— like  TLCS.  Unfortunately,  the  TLCS  results  cannot  be 
directly  compared  to  Bozga  and  Maler’s  because  the  exponential  state  space  required  to  handle 
the  larger  number  of  clocks  and  higher  integer  bounds  exceeds  the  memory  allocation  limits  of 
SWI-Prolog  with  more  than  three  stages.  This  constrains  verification  to  less  than  four  stages  using 
the  more  detailed  dense  models  in  TLCS.  However,  depending  on  how  much  set-up  and  hold  (S&H) 
time  is  required  for  the  receiver  via  timing  parameter  OMax,  TLC  fails  or  holds.  Apparently,  S&H 
were  not  factored  into  the  STAR!  verifications  in  (BM98).  If  the  receiver  requires  S&H  <  2,  then 
TLCS  agrees  with  their  results.  This  is  illustrated  by  the  differences  between  columns  three  and 
four  for  two  queue  stages  in  Table  11.  The  amount  of  time  allowed  for  S&H  is  MT  -  OMax.  In 
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coluinn  three,  three  time  units  nre  Allowed  for  S&M,  end  in  column  four  only  two  time  units  nre 
allowed.  TLC  does  not  hold  in  column  three  when  OMax  =  9  (S&H  =  3),  and  Min/Max  =  2/4. 
The  visible  sequence 


=12,an,t0,4,tn_,8,an,f0,4,fn_,8,an,f0,8,fn_,4,an,t0,8,tn_,4,an,0.001,t0, 

4,tn_,7.999,an,0.001,f0,4,fn_,7.999,an,0.001,f0,7.999,fn_,4.001,f0,0.001, 

an,3.999,fn_,8,f0,0.001,aii,3.999,fn_,8,t0,0.001,an,3.999,tii_,8,t0,0.001, 

an,7.999,tn_,4.001,an,0.001,t0,4,tn_,8,t0,l,an,3,tn_,8,f0,l,aii,3,fn_,8, 

f0,l,aii,7,fn_,4,t0,l,aii,3,tn_,8,t0,1.001,an,2.999,tn_,8,f0,1.001,an, 

2.999,fn_,8,f0,1.001,aii,6.999,fn_,4,t0,2,an,2,tn_,8,t0,2,an,2,tn_,8,f0,2, 

an,2,fn_,10,an,l,f0,4,fn_,7,an,l,f0,4,fn_,7,aii,1.001,f0,4,fn_,6.999,an, 

1.001,f0,7.999==> 

leads  to  the  states  and  combined  time  vector: 


I: [f ifo_specFF,f ifo_specFEU] 

S: [pbu,fe] 

T:[[[k0.3,4],[kl,3,4],Ck2,9,9].[k3,7,8]],[[k0.kl],[k3].Ck2]3] 

Where  possible  Imp  Actions  are:  [fO,fn_] 
and  possible  specification  Actions  eire:  [fn_] 
and  future  Imp  outputs  are  not  matched  by  the  Spec. 


Ilnv: [[kl,leq,4]] 

A:fO  G:[]  R; []  I_: [fifo_specEF,f ifo_specFEU] 

A:fn_  G: [[kl,geq,2]]  R: [kl]  I_: [f ifo_specFF,fifo_specFFU] 


SInv: [Ck2,leq,9]] 

A:fn_  G: [[k2,geq,2]]  R: []  S_:[pb,f] 


where  the  implementation’s  fn_  output  can  occur  later  than  the  specification’s  fn_  output  because 
the  specification  cannot  stay  in  location  [pbu,fe]  after  clock  k2  =  9.  This  late  output  violates  the 
TLC  relation  because  it  infringes  on  the  S&H  requirements  of  the  receiver,  but  TLC  holds  in  column 
four  when  OMax  =  10  (i.e.,  receiver  S&H  is  tightened  from  three  to  two  time  units).  In  this  case, 
if  S&H  requirements  of  the  receiver  are  less  than  or  equal  to  two  time  units,  then  TLC  holds  and 
TLCS  confirms  Bozga  and  Maler’s  results.  Unfortunately,  the  current  TLCS  stack  limitations  keep 
us  from  checking  their  results  for  more  than  a  three-stage  queue  when  using  queue-stage  models 
with  bi-bounded  delays  [2,4]. 


The  original  proof  of  correctness  for  STAR!  is  found  in  Greenstreet’s  dissertation.  Comparing 
his  model  and  its  limitations  to  the  TLCS  verification  enlightening.  First,  focus  on  the  similarities. 
The  most  important  similarity  is  that  TLCS  and  Greenstreet  both  model  STAR!  with  discrete 
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functional  events  rather  than  the  analog  voltage  levels  (Gre93:pl46).  Second,  neither  TLCS  nor 
Greenstreet  prove  properties  about  the  initialization  of  the  queue.  Both  “proofs”  start  by  asgiiming 
an  initialized  queue  that  is  half  full.  Greenstreet  argues  convincingly  that  initialized  conditions  are 
eeisy  to  establish  in  the  implementation  so  it  is  not  an  issue  for  either  “proof.” 

In  Greenstreet’s  original  STAR!  proof  of  correctness,  he  focused  on  verifying  that  the  signaling 
protocol  of  the  queue  was  observed  by  formulating  and  proving  invariant  properties  about  the 
queue’s  timing  expressed  as  synchronized  transitions,  but  he  did  not  prove  some  other  correctness 
criteria  are  satisfied  (Gre93;pl44),  and  here  is  where  there  are  some  significant  differences  between 
the  “proofs.”  For  example,  he  did  not  prove  that  the  sequence  of  values  output  by  the  FIFO  are  the 
same  as  those  input  because  he  did  not  model  the  actual  data  values  themselves.  In  contrast,  the 
TLCS  STAR!  verification  does  model  the  data  values  explicitly,  and  since  the  perfect-buffer  outputs 
the  sequence  of  values  it  receives,  TLCS  verifies  that  the  queue  does  as  well.  Greenstreet’s  detailed 
proof  also  models  the  transmitter  and  receiver  repeatedly  synchronizing  exactly  at  specified  time 
intervals;  since  the  TLCS  verification  explicitly  allows  up  to  Skew  time  units  between  the  data 
and  acknowledgment  inputs,  the  TLCS  verification  is  more  genereil  in  that  sense.  Perhaps  the 
most  significant  limitation  of  his  analysis  is  that  his  FIFO  stage  models  abstract  the  data  and 
acknowledgment  outputs  into  a  single  atomic  action  (Gre93:pl45).  Since  these  are  actually  three 
separate  signals  produced  by  three  components  with  their  own  distinct  delays  in  his  implementation, 
the  TLCS  model  is  more  realistic  and  therefore  closer  to  verifying  the  actual  circuit  behavior. 
Unfortunately,  his  abstractions  prevent  thorough  quantitative  comparison  of  his  results  directly 
with  TLCS’s,  but  a  single  counterexample  suffices  to  show  the  need  to  model  and  “prove”  the 
circuit’s  behavior  with  higher  fidelity  models.  Greenstreet  derives  Formula  34  (Gre93:p33)  for  the 
skew  tolerance  (A)  of  an  n-length  queue  with  period  tt  and  C-element  delay  S. 

A  =  (n  +  l)(7r  -  2S)  (34) 
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According  to  Table  11,  column  3,  where  n  =  2  =  Q  Stages,  tt  =  12  =  MT,  and  5  =  4  =  CMax, 
Greenstreet  says  A  =  12,  but  TLCS  produces  the  late-output  counterexample  with  only  a  skew 
of  two  as  discussed  above.  Even  if  tt  =  9  =  OMax,  A  =  3  >  2;  this  remains  a  late-output 
counterexample.  Fundamentally,  Greenstreet’s  results  differ  from  the  TLCS  results  because  the 
delay  of  the  Nor  used  to  compute  the  acknowledgment  signals  in  the  implementation  is  ignored  by 
his  analysis  when  he  assumes  that  each  C-element  computes  its  data  output  and  acknowledgment 
simultaneously. 

6,2.5  Comparing  Verification  Methodologies.  Generally,  from  gate-level  to  Perfect  Buffer, 
the  TLC  verification  methodology  requires  three  verifications  to  hierarchically  verify  the  abstract 
Perfect  buffer  against  a  gate-level  implementation.  At  the  top-most  level,  a  monolithic  [’n/2]-size 
PB  is  the  specification  (Figure  30),  and  the  implementation  is  a  n-stage  STAR!  FIFO  Queue  com¬ 
posed  from  n  Queue  Stage  TSA  (Figure  28);  i.e.,  the  verification  proves  Q5i||Q52|| . . .  ||Q5n 
PB{n/2).  The  second  verification  specification  is  a  single  STARI  FIFO  Queue  Stage  specification, 
and  the  implementation  is  a  three-component  parallel-composed  C-element--/Vor  intermediate-level 
queue  stage  (Figure  26);  i.e.,  the  verification  proves  Ci\\C2\\Nor  o:^i  QS.  The  final  verification 
specification  is  the  Wobbly-C-element  specification  (Figure  25)  against  its  four-component  And- Or 
gate-level  implementation  (Figure  4);  i.e.,  the  verification  proves  Andi\\And2\\And3\\Or  o:^i  C.  In 
the  preceding  discussion,  results  from  several  other  verifications  are  presented  to  show  that  com¬ 
posing  components  and  verifying  across  more  than  one  level  of  abstraction  are  easy  using  TLCS. 

In  contrast,  applying  the  assumes-guarantees  verification  methodology  to  STARI  (TAKB96, 
TB97)  is  more  expensive  and  is  not  as  detailed.  It  requires  more  verifications  and  the  construction 
of  extra  abstract  models,  and  it  does  not  verify  a  gate-level  implementation  of  the  C-element. 

Most  of  the  extra  verifications  are  required  to  show  that  the  abstract  FIFO  stage  model 
depicted  earlier  in  Figure  27  is  a  correct  abstraction  of  the  Figure  26  intermediate  level  queue  stage 
in  its  environment.  Let  F  and  A  denote  the  intermediate  level  queue  stage  and  abstract  FIFO  stage 
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timed  processes  respectively,  and  Tx  and  Rx  denote  the  transmitter  and  receiver  timed  processes 
modeling  the  queue  environment.  Proving  the  abstraction  is  valid  requires  proving  for  an  n-length 
queue  that 

ra:||Pi||F2||...F„l|i?a:  T  x\\Ai\\A2\\ . . .  An\\Rx 

Since  the  environment  for  each  pair  of  models  (6.g.,  A2}  is  different,  n  separate  assumes- 

guarantees  proofs  are  normally  required.  They  were  able  to  construct  models  and  i^right 
generalizing  the  environment  to  the  left  and  right  of  the  i*''  component  and  reduce  the  number  of 
verifications  required.  This  reduces  the  main  verification  required  to 

■®left  11-^ Upright  — ^  ^leftH-^ll-^right 

at  the  expense  of  showing  that  £'i0f(;  and  are  correct  abstractions  for  the  left  and  right-hand 

sides  of  each  module  i;  i.e., 

V<  e  [l..n][rxpiP2|| .  ..Ai-i  :<L  Eieft  A yli+imj+2||  •  ..Ar,\\Rx  <1 

This  can  be  shown  by  induction  on  i  by 

1.  showing  Tx  <1 

2.  Assuming  rx||Ai||A2|| . ..Ai-i  -<1  and  showing rx||Ai||A2||  ...At 

3.  Concluding  :<L  -Bieft. 

So,  the  assumes-guarantees  methodology  requires  six  verifications: 

1.  Tx  :<L 

*This  requires  disallowing  the  transmitter  to  change  its  data  output  if  the  first  stage  has  not  copied  the  trans- 
mitter  s  previous  output  value  (caring  about  ocfc_0_)  and  later  proving  that  the  transmitter  never  wants  to  modify 
its  data  output  while  the  first  stage  is  not  ready. 
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2-  ^left 


3.  Rx  :<L  -Brigiit 

4.  ^z,  -Ej-jgjit 
■^leftll-^ll-^right  •^leftH'^ll-^right 

6.  Tx||yli||i42|| . . .  ^sll-Ra:  satisfies  the  two  timing  properties  enumerated  earlier: 

(a)  “Each  data  value  output  by  the  transmitter  must  be  inserted  into  the  FIFO  before  the 
next  one  is  output.”  (i.e.,  the  transmitter  must  not  change  input  values  to  the  queue 
until  the  first  FIFO  stage  acknowledges  receiving  the  input  by  generating  an  ack.O_ 
event.) 

(b)  “A  new  value  must  be  output  by  the  FIFO  before  acknowledgment  from  the  receiver.” 
(i.e.,  the  receiver  must  not  generate  an  ackji.  event  to  the  FIFO  until  it  has  received 
the  data  from  the  last  FIFO  stage.) 

and  four  abstract  models  (Tx,  Rx,  E^gj^^)  that  the  TLC  methodology  does  not  require. 

For  each  of  the  first  five  verifications,  COSPAN  requires  inputting  untimed  mappings  between 
the  state  spaces  of  the  models  being  compared.  TLCS’  single  C-element/JVor  versus  Queue-Stage 
specification  verification  is  equivalent  to  these  five  verifications  and  does  not  require  the  higher-order 
inductive  logic  step. 

The  sixth  verification  is  required  to  prove  properties  that  are  verified  directly  by  the  TLC 
verification  between  PB  and  the  Queue.  In  the  first  case,  PB’s  input  of  a  value  must  always  be 
matched  by  Formula  22;  in  the  second  case,  all  outputs  produced  by  the  Queue  must  be  allowed  by 
PB  according  to  Formula  25.  The  authors  did  not  explain  the  property  verification  (number  6),  but 
it  must  be  a  model  checking  proof;  interestingly,  it  required  over  37  times  the  amount  of  time  and 
14  times  the  memory  of  the  other  proofs.  In  fact,  they  were  unable  to  complete  this  verification 
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for  a  3-stage  F-model  FIFO  using  1GB  of  memory  (TB97).  As  shown  in  Table  10  TLCS  completes 
verification  on  similar  complexity  3-stage  models  (the  MT-I  column,  rows  2-6). 

Although  the  models  used  in  Bozga  and  Maler’s  STAR!  verification  are  described  in  detail, 
the  verification  methodology  is  not  described  in  detail  (BM98).  The  implementation  models  they 
use  are  at  an  intermediate  level  of  complexity  and  do  not  go  all  the  way  down  to  a  gate-level  C- 
element  implementation.  Their  “ideal  buffer”  specification  model  of  the  queue  in  its  environment  is 
similar  to  perfect  buffer,  except  that  it  consists  of  four  timed  automata:  clock,  transmitter,  receiver, 
and  queue.  They  use  a  Binary  Decision  Diagram  (BDD)  extension  of  the  Kronos  tool  (ABK+97) 
to  compute  that  n-length  intermediate-level  queues  simulate  ideal  buffers  of  size  n  when  both  are 
initialized  with  n/2  data  values  for  n  €  [1..18].  They  use  a  discrete  model  of  time  with  integral  time 
steps.  They  claim  that  the  discrete  semantics  coincide  when  they  use  l/k  time  steps  for  fc-clock 
systems,  and  with  that  fine  a  discretization,  they  are  only  able  to  verify  (n  =  5)  stage  models 
compared  to  the  (n  =  3)  stage  TLCS  verification. 

Since  the  Kronos  verification  methodology  is  based  on  the  simulation  relation  with  models  of 
the  environment,  the  methodology  is  also  bound  by  the  assumes-guarantees  rule.  The  discretization 
simplification  allows  them  to  perform  the  whole  verification  at  once  saving  the  effort  required  to 
verify  the  decomposition  of  the  verification.  They  do  not  need  to  do  the  5  extra  verifications 
required  with  the  COSPAN  methodology  or  build  the  models  Ejgft  and  ^^rfght  tool 

handles  the  state  space  explosion  of  the  entire  verification.  Whenever  the  entire  verification  cannot 
be  done  at  once,  they  too  must  construct  extra  abstract  models  and  do  the  associated  verifications 
to  check  their  validity.  In  any  case,  they  build  three  models:  clock,  transmitter,  and  receiver,  to 
support  their  verification  methodology.  These  models  are  not  required  for  the  TLC  verification. 
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6.3  Summary 


This  chapter  demonstrated  the  utility  of  Timed  Safety  Automata  models  and  the  Timed  Logic 
Conformance  (TLC)  relationship  for  systems  engineering  and  verification.  It  described  canoni¬ 
cal  system  models  for  monotonic  and  inertial  hardware  primitives  and  explained  the  results  of 
TLC  verifications  at  several  different  levels  of  abstraction,  and  it  compares  the  TLCS  results  and 
verification  methodology  with  other  published  work. 

Generally,  despite  modeling  systems  in  more  detail  than  others,  TLCS  is  able  to  compute 
comparable  results  despite  the  fact  that  it  explicitly  enumerates  the  states  and  is  written  in  Prolog. 
Using  the  asynchronous  STAR!  verification  problem  as  a  benchmark,  TLCS  confirms  Berkeley 
researchers  results  (TB97);  the  TLCS  models  extend  the  verification  to  include  data  values  passing 
correctly  through  the  queue  and  no  assumes-guarantees  reasoning  is  required  to  accomplish  the 
verification.  Comparing  the  TLCS  results  with  Rrench  researchers  from  VERIMAG  (BM98),  TLCS 
generally  confirmed  their  results  but  pointed  out  an  important  counterexample  when  set-up  and 
hold  time  requirements  of  the  receiver  are  taken  into  account.  The  TLCS  model  is  much  more 
detailed  than  the  original  proof  of  STAR!  correctness  (Gre93),  proving  properties  about  the  actual 
data  transferred  as  well  as  showing  a  counterexample  to  the  formula  derived  for  allowable  skew 
between  sender  and  receiver  clocks  when  the  more  realistic  model  is  used. 

TSA  are  well  suited  for  modeling  systems  at  various  levels  of  abstraction,  and  the  TLC  re¬ 
lationship  is  useful  for  verifying  when  one  TSA  is  an  acceptable  implementation  of  another.  TSA 
modeling  and  TLC  verification  support  incorporating  the  environmental  constraints  into  specifica¬ 
tions  in  a  natural  way.  This  reduces  the  modeling  problem  by  eliminating  environmental  models, 
and  the  incorporated  environmental  constraints  minimize  the  number  of  states  that  must  be  exam¬ 
ined,  making  a  fair  tradeoff  possible  between  model  fidelity  and  computational  complexity. 
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The  TLC  verification  methodology  is  simpler  than  the  assumes-guarantees  methodology  be¬ 
cause  no  assumes-guarantees  proof  obligations  or  extra  abstract  models  are  required  to  support 
decomposing  the  verification  task. 

This  chapter’s  contributions  are: 

•  Definition  and  application  of  canonical  inertial  and  monotonic  hardware  modeling  techniques. 

•  Demonstration  of  a  simple  and  relatively  efficient  verification  methodology  that  supports 
using  more  detailed  models  and  discovers  subtle  problems  not  exposed  by  others. 

•  A  comparison  and  critique  of  TLCS  verification  results  against  other  published  work. 

•  A  comparison  and  critique  of  the  TLC  verification  methodology  against  other  published  work. 
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VIL  Conclusions 


This  chapter  summarizes  the  problem  and  lists  the  research  objectives.  Then,  it  enumerates  and  ex¬ 
plains  the  research  contributions.  After  proposing  some  future  research  opportunities,  it  concludes 
with  final  remarks. 

7 A  Summary 

Chapter  II  defined  and  described  several  example  formalisms  for  modeling  and  reasoning 
about  the  “equivalent”  behavior  of  concurrent  systems.  There  are  some  significant  expressiveness 
problems  with  these  formalisms.  Upper  and  lower  time  bounds  (bi-bounded  delays)  are  difficult 
to  define  in  the  simplest  models.  Some  of  the  simpler  models,  and  even  the  more  complicated 
ones,  have  nonintuitive  semantics  such  as  the  maximal-progress  semantic  leap  from  two  processes 
waiting  individually  to  perform  their  actions  to  cooperating  processes  that  cannot  wait  to  perform 
their  cooperative  actions.  None  of  the  process-algebra-style  models  support  expressing  general 
temporal  relationships  between  actions  that  do  not  sequentially  follow  each  other.  Timed  processes 
support  expressing  general  temporal  relationships  between  actions,  but  they  are  quite  complicated 
because  they  use  state  functions  to  define  outputs  and  invariants,  and  sequences  of  events  to  define 
process  semantics.  Furthermore,  in  order  for  timed  processes  to  be  reasoned  about  consistently, 
they  must  be  nonblocking.  This  dramatically  increases  the  complexity  of  both  the  model  building 
and  verification  task. 

Chapter  II  also  discussed  the  timed  “equivalence”  relationships  Timed  Bisimulation  and  Weak 
Timed  Bisimulation  for  TCCS  agents,  CTR  Refinement  for  CTR  agents,  and  Timed  Simulation  and 
Timed  Implementation  between  timed  processes.  The  bisimulation  relationships  generally  restrict 
designer  freedom  too  much  and  do  not  allow  efficient  implementations.  The  CTR  refinement 
relationship  is  looser,  but  CTR  allows  implementations  that  do  not  accept  all  the  inputs  accepted 
by  the  specification,  so  CTR  is  formalized  “backwards.”  Timed  Simulation  is  better  than  the 
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bisimulation  straight  jacket,  but  its  assumes-guarantees  methodology  requires  many  iterations  of 
expensive  verifications  just  to  “verify  the  verification”  because  of  circular  dependencies  between 
environment  and  system  models.  Chapter  II  revealed  that  the  existing  tools  for  the  most  powerful 
methodology  require  a  lot  of  user  input  that  is  not  straight  forward  to  supply. 

In  summary,  Chapter  II  demonstrated  the  need  for  a  simpler  and  yet  powerful  modeling 
formalism  to  accurately  express  the  relationship  between  behavior  and  time.  Designers  also  need 
a  more  practical  mathematical  relationship  between  models  that  supports  an  automated  verifica¬ 
tion  methodology  that  factors  in  environmental  timing  properties  without  building  many  different 
models  of  the  environment  and  using  them  to  “verify  the  verification.” 

These  were  the  specific  research  objectives: 

1.  Adopt  or  create  a  simple  modeling  formalism  rich  enough  to  express  discrete- valued  behavioral 
properties  and  timeliness  requirements  of  digital  circuits  while  modeling  continuous  time. 

2.  Canonically  define  how  to  model  digital  circuit  components  and  specify  required  behaviors 
and  timing  using  the  modeling  formalism. 

3.  Formally  define  a  practical  relationship  that  expresses  when  one  model  satisfies  the  timing  and 
behavioral  requirements  of  another.  Prove  that  the  relation  has  the  necessary  mathematic 
properties  for  meaningful  verification. 

4.  Write  a  tractable  computational  procedure  that  calculates  when  the  relation  holds  between 
two  models. 

5.  Demonstrate  the  utility  of  the  relation  on  benchmark  digital  circuit  design  problems. 

6.  Define  a  verification  methodology  for  using  the  relation  to  efficiently  hierarchically  verify 
larger  systems. 

These  objectives  have  been  accomplished. 
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7.5  Contributions 


After  enumerating  contributions  organized  by  topic,  the  following  sections  summarize  and 
explain  them. 

•  TSA  Model  of  Computation 

1.  Simpler  than  timed  processes. 

2.  More  expressive  than  most  other  “simple”  models.  Theoretically  unlimited  power  to 
express  the  timing  relationships  between  actions. 

3.  A  formal  definition  of  synchronous  parallel  composition,  and  a  useful  implementation  of 
the  composition  procedure  in  TLCS. 

4.  Simple  rules  and  canonical  forms  for  modeling  hardware  components  as  TSA. 

•  TLC  Formal  Relationship  Between  Models 

1.  Safely  weakens  “equivalence”  and  gives  designers  the  structural,  temporal,  and  behav¬ 
ioral  freedom  they  need  to  design  and  reuse  efficiently. 

2.  Relaxes  timing  requirements  “the  right  way.” 

3.  Relatively  efficient — avoids  checking  irrelevant  state  space. 

4.  “Completes”  the  model  checking  verification  process. 

5.  An  “efficient”  implementation  of  the  TLC  decision  procedure  and  demonstration  of  its 
utility  on  benchmark  problems. 

•  Verification  Methodology 

1.  A  more  powerful  and  efficient  hierarchical  verification  methodology. 

2.  Breaks  the  verification  task  down  into  independent  sub- verifications. 


140 


3.  Avoids  always  considering  changes  in  the  environment  and  other  modules  at  every  level 
of  design. 

4.  Fewer  abstract  models  required. 

5.  Requires  no  user-supplied  state  relation. 

7.2.1  Model  of  Computation.  The  “simple”  and  expressive  Timed  Safety  Automata 
(TSA)  model  of  computation  as  zidapted  for  this  research  does  not  suffer  the  deficiencies  revealed  in 
Chapter  II.  TSA  support  high-fidelity  modeling  of  electronic  circuits  when  constrained  as  required 
by  the  unique  Def.  30  modeling  constraints  and  bi-bounded  inertial  delay  modeling  techniques.  The 
formal  synchronous  TSA  parallel  composition  rules  and  TLCS  implementation  of  them  support 
modeling  and  equivalence  checking  large  and  complex  circuits. 

TSA  suffer  none  of  the  expressiveness  problems  associated  with  untimed  process  algebras. 
Upper  and  lower  time  bounds  (bi-bounded  delays)  are  easily  defined  using  TSA  location  invariants 
and  transition  guards.  The  maximal-progress  semantic  leap  (firom  two  processes  waiting  individu¬ 
ally  to  perform  their  actions  to  cooperating  processes  that  can  not  wait  to  perform  their  cooperative 
actions)  does  not  exist  in  the  TSA  parallel  composition  rules.  General  temporal  relationships  be¬ 
tween  actions  that  do  not  sequentially  follow  each  other  axe  easy  to  express  in  TSA  by  resetting  a 
clock  and  freely  using  clock  predicates  to  define  the  relationship. 

The  Mealy  machine  TSA  model  is  simpler  than  the  Moore  machine  COSPAN  timed  process 
model.  TSA  do  not  define  output  by  associating  functions  with  locations.  The  TSA  model  is  easier 
to  use.  Users  need  not  specify  behaviors  for  all  inputs  in  all  states  for  all  possible  times  at  every 
level  of  the  hierarchy.  Only  those  inputs  necessary  to  satisfy  the  TLC  relation  with  the  specification 
and  satisfy  the  Cl-free  property  in  compositions  must  be  defined.  In  another  sense,  the  TSA  model 
is  more  expressive  than  both  timed  processes  and  process  jdgebras  because  TSA  allow  users  to  use 

<>  >}  instead  of  just  {<,  >,  =}  to  define  timed  behavior  using  clock  constraints.  The  TSA 
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model  is  also  simpler  than  the  most  expressive  process-algebraic  model  because  it  requires  only 
about  half  of  the  rules  to  define  model  semantics  and  parallel  composition. 

The  TSA  model  works  well  for  describing  behavior  at  many  different  levels  of  abstraction. 
Chapters  IV  and  VI  specified  novel  rational  modeling  constraints  and  defined  canonical  ways  to 
monotonically  and  inertially  model  implementation-level  primitive  hardware  circuits.  Chapter  VI 
demonstrated  using  those  models  in  example  verifications  from  handfuls  of  gates  to  a  dual-rail- 
encoded  queue  for  interfacing  systems  with  clock  skew  between  them. 

T.2.2  Formal  Relationship  Between  Models.  Chapter  FV  formally  defined  the  timed  equiv¬ 
alence  relation,  Weak  Timed  Bisimulation,  that  relates  Dense  Labeled  Transition  Systems  (DLTS’s) 
with  different  internal  action  sequences  but  the  same  observable  action  sequences  and  timing.  To 
relate  systems  that  do  not  have  the  exact  same  timing.  Chapter  IV  also  defined  how  to  abstract 
away  the  temporal  differences  between  TSA,  and  how  to  use  those  abstractions  to  weaken  Weak 
Timed  Bisimulation  via  the  partial  order  Timed  Logic  Conformance  (TLC)  relation. 

With  a  few  well-defined  exceptions,  TLC  requires  that  implementation  inputs  are  a  timed 
superset  of  specification  inputs  and  that  implementation  outputs  are  a  timed  subset  of  specification 
outputs.  TLC  formalizes  these  notions  and  specifies  when  an  implementation  can  safely  replace  a 
specification,  and  it  has  the  necessary  mathematical  properties  to  support  hierarchical  verification 
of  larger  systems  with  the  exception  that  one  must  be  careful  when  the  most  abstract  specification 
is  parallel  composed. 

In  summary,  TLC: 

•  Pragmatically  and  intuitively  weakens  “equivalence”  and  gives  designers  the  freedom  they 
need  to  design  and  reuse  designs  efficiently.  TLC  provides  greater  structural,  temporal,  and 
behavioral  freedom  of  implementation  while  maintaining  a  meaningful  and  accurate  imple¬ 
mentation  “implements”  specification  relationship. 
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•  Relaxes  timing  requirements  “the  right  way.”  Instead  of  accepting  implementations  that  can 
refuse  specification  inputs,  TLC  rejects  themj  at  the  same  time  it  rejects  implementations 
that  output  when  the  specification  does  not  allow  outputs. 

•  Avoids  checking  irrelevant  implementation  state  space  by  ignoring  extra  input  derivatives 
that  the  specification  does  not  have. 

•  Is  a  “completing”  companion  to  model  checking.  Since  TLC  gives  designers  substantial  free¬ 
dom  of  design,  it  does  not  generally  preserve  arbitrary  timed  modal  logic  or  ^-calculus  prop¬ 
erties,  yet  all  pragmatic  properties  are  preserved  when  the  specification  completely  defines 
the  inputting  environment  for  the  implementation. 

Further,  Chapter  V  described  the  reasonably  efficient  region-automata- based  decision  pro¬ 
cedure  implemented  in  TLCS.  TLCS  computes  whether  or  not  the  TLC  relation  holds  with  a 
minimum  of  user  input  required.  TLCS  computed  whether  or  not  TLC  holds  for  several  exam¬ 
ples  including  the  STARI  (Self-Timed  at  Receiver’s  Input)  asynchronous  circuit  for  communicating 
safely  between  two  clock-skewed  systems.  The  results,  summarized  in  Chapter  VI,  are  comparable 
to  those  published  elsewhere  (Gre93,  BM98,  TB97). 

1.2.3  Verification  Methodology.  The  powerful  and  relatively  efficient  top-down  TLC 
hierarchical  verification  methodology  also  works  bottom-up.  The  TLC  verification  methodology  is 
better  than  assumes-guarantees  reasoning  because  it  simplifies  and  reduces  the  burden  of  building 
models,  and  it  breaks  the  verification  down  into  less  complex  and  independent  pieces. 

The  TLC  verification  methodology  is  simpler  because  it  can  be  independently  decomposed 
without  the  assumes-guarantee  circular  dependency  verifications.  This  reduces  the  magnitude  of  the 
verification  task  tremendously  because  iteratively  changing  models  and  specifications  only  affects 
the  verifications  up  and  down  the  hierarchy,  not  across  the  breadth  of  it  for  every  iteration. 

In  summary,  TLC  verification: 
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•  Breaks  the  verification  task  down  into  independent  sub-verifications  that  are  smaller  and 
more  tractable. 

•  Avoids  having  to  always  consider  changes  in  the  environment  and  other  modules  at  every 
level  of  design. 

•  Requires  no  environmental  model:  naturally  captures  environmental  timing  requirements  in 
the  top-level  specification. 

•  Provides  an  efficient  alternative  to  assumes-guarantees  proof  obligations. 

•  Requires  no  user-supplied  state  relation. 

1.3  Future  Work 

There  is  always  more  work  to  be  done.  The  plans  and  ideas  are  organized  into  three  areas; 
TLCS  enhancements,  TSA/TLC  theory  extensions,  and  promising  TLC  applications. 

7.3.1  TLCS  Enhancements.  SWI-Prolog  indexes  information  on  the  heap  by  the  first 
term  of  the  asserted  fact  by  default,  but  facts  can  be  indexed  by  more  non-list  terms  to  improve 
efficiency.  It  would  greatly  speed  up  the  TLC  process  if  the  list  of  visited  state  pairs  and  their  time 
vectors  could  be  directly  indexed  according  to  all  three  terms — i.e.,  Ps  location,  5’s  location,  and 
the  time  vector.  Unfortunately,  the  time  vector  data  structure  is  a  list  and  cannot  be  used  as  a 
hash  key.  Generating  a  nearly  unique  atomic  hash-key  for  each  time  vector  and  using  it  to  index 
visited  states  and  to  represent  time  vectors  on  the  stack  seems  feasible  and  would  vastly  improve 
the  performance  of  the  SWI-Prolog  TLCS. 

The  current  parallel  composition  algorithm  stores  the  transition  relations  of  the  composed 
systems  on  the  stack  and  recursively  calls  itself  until  no  new  states  are  reached.  For  small  com¬ 
positions,  this  approach  works  fine,  but  for  large  compositions  (e.g.,  the  two-queue-stage  STAR! 
queue  with  18  subcomponents)  TLCS  overflows  SWI-Prolog’s  stack  limitation  (64MB).  Updating 
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th6  pdxd,Il6l  composition  algorithm  to  use  the  h€d.p  (up  to  1.9GB)  insteud  of  the  stuck  to  store 
component  transition  sequences  would  improve  reasoning  about  larger  systems. 

There  have  been  advances  that  reduce  the  exponential  space  complexity  of  the  region  au¬ 
tomata  time  representation  (HKWT95,  LLPY97).  These  techniques  should  be  studied  to  see  if 
TLCS  space  complexity  can  be  significantly  improved.  Many  techniques  are  applicable  for  model 
checking  because  they  depend  on  the  formulas  being  checked  and  the  applicable  state  space  to 
minimize  the  complexity.  Some  techniques  have  been  applied  to  equivalence  checking;  e.g.,  clock 
minimization  algorithms,  clock-planes,  and  geometric  clock  regions  (RM94).  Generally  the  effi¬ 
ciency  gains  depend  on  the  particular  relationships  between  the  clock  resets  and  clock  predicates  in 
the  specific  TSA.  Whether  these  techniques  can  be  directly  applied  to  greatly  improve  the  TLCS 
efficiency  or  if  they  would  require  extensions  or  modifications  to  the  theory  or  algorithm  itself  is 
not  yet  clear.  Of  particular  interest  is  University  of  Utah’s  Timed  Event  Level  (TEL)  structure 
research  (BM97,  BMH99).  TEL  structures  are  efficient  ways  of  expressing  timed  Petri-net  style 
behavior  and  signal  level  information  together.  University  of  Utah’s  ATACS  system  uses  geometric 
representations  of  clock  regions  to  efficiently  reason  about  TEL  structure  timed  state  spaces  rep¬ 
resenting  the  environment  and  the  system.  Conflicts  between  the  environment  and  system  state 
spaces  are  timing  failures  and  design  errors. 

7.5.2  TSA/TLC  Theory  Extensions.  One  promising  extension  of  TLC  theory  is  to  define 
a  “confluent”  Timed  Logic  Conformance.  i.e.,  weaken  TLC  such  that  implementations  can  satisfy 
confluent  specifleation  output  bursts  with  any  of  the  allowed  sequences  of  outputs.  Frequently, 
specifications  allow  outputs  to  be  generated  in  any  sequence,  but  the  output  sequences  converge 
to  a  single  state.  Currently,  the  TLC  relation  requires  the  implementation  to  generate  all  of  the 
specifleation’s  output  sequences.  Since  considerably  more  efficient  implementations  can  typically 
be  made  that  produce  only  a  subset  of  those  sequences,  and  the  receiver  of  that  sequence  typically 
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does  not  care  which  order  they  arrive,  a  confluent  TLC  relation  would  safely  give  designers  more 
behavioral  freedom. 

A  second  extension  is  to  develop  a  methodology  for  safely  abstracting  actions/events  from 
binary  values  changing  to  events  on  groups  of  binary  signals,  events  on  numbers,  strings,  and 
records.  While  not  theoretically  a  problem,  the  rapid  growth  of  region-automata  timed  state  space 
severely  limits  reasoning  about  the  behavior  of  multi-bit  hardware  architectures  with  TLCS.  Current 
plans  are  to  scale  down  the  complexity  by  reducing  bit- width,  but  more  abstraction  options  are 
needed — especially  if  TLCS  is  used  for  system-level  hardware  and  software  architectures. 

l.S.S  Promising  TLC  Applications.  Integrating  a  TLC  decision  procedure  and  existing 
tools  already  available  for  different  applications  should  be  investigated.  A  main  problem  with  the 
application  of  formal  methods  to  real  design  is  that  there  are  many  different  models  of  computation 
and  tools  to  support  them  but  no  Rosetta  stone  or  transformation  process  for  most  of  the  models. 
Instead  of  trying  to  promote  the  use  of  TLCS  with  this  flavor  of  TSA  formalism  for  equivalence 
checking  only,  defining  the  TLC  relation  for  an  expressive  timed  FSM  formalism  already  used  for 
model  checking  or  other  formal  methods  application  makes  sense.  One  model  checking  environment 
without  an  efficient  equivalence  checker  is  the  Concurrency  Factory  (CGL“^94).  Integrating  TLC 
into  the  Concurrency  Factory  would  package  the  TLC  theory  in  a  useful  way  and  expose  more 
people  to  the  more  efficient  TLC  verification  methodology. 

Using  TLC  to  define  semantics  of  system  architecture  refinement  in  a  category-theory-based 
specification-refinement  tool  like  Spec  Ware  (SJ94)  should  be  investigated.  Mark  Gerken  laid  the 
foundation  for  using  untimed  process  algebras  to  formally  define  different  software  architectures 
and  reason  about  them  (Ger95).  Since  the  timing  of  hardware  and  software  systems  working 
together  is  so  critical  to  their  function,  extending  his  theory  over  a  timed  FSM  formalism  like 
TSA  and  using  the  TLC  relation  to  define  an  appropriate  implementation  relation  between  system 
architectures  makes  sense. 
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Another  potentially  fruitful  research  area  is  defining  mappings  from  the  Unified  Modeling 
Language  (UML)  (Dou98)  into  TSA  for  the  purpose  of  defining  and  proving  temporal  claims  about 
UML  specifications,  architectures,  and  implementations.  UML  is  a  popular  language  for  specifying 
system  architectures,  but  UML  does  not  have  a  solid  theoretical  foundation  for  all  of  its  semantics. 
Previous  AFIT  research  successfully  defined  formal  semantics  for  informal  graphically-based  object- 
oriented  specification  and  modeling  languages  similar  to  UML  (DeL96),  but  the  formal  semantics 
have  not  been  extended  to  the  specification  and  reasoning  about  system  timing  and  the  relationship 
of  time  and  behavior.  Since  one  of  the  most  widely  used  views  of  a  UML  specification  is  FSM- 
based,  using  the  TSA  model  and  TLC  relation  to  formally  define  the  relationship  between  time 
and  behavior  and  to  refine  the  FSM  part  of  UML  specifications  makes  sense, 

Another  very  important  research  idea  is  to  use  temporal  logic,  abstract  TSA  models,  and  the 
TLC  relation  to  define  and  warrant  the  behavior  of  intellectual  property  (IP)  subsystems.  If  the 
interfaces  to  the  subsystem  are  defined  as  TSA,  and  the  actions  of  the  subsystem  are  defined  using 
temporal  logic  or  timed  modal  /i-calculus  formulae,  then  potential  users  of  the  subsystem  could 
compose  the  subsystem  into  their  application  and  determine  if  they  can  interface  with  the  subsys¬ 
tem  correctly  and  satisfy  their  performance  specifications.  A  predicate-logic  based  specification  of 
behavior  would  likely  be  necessary  to  describe  the  data-path  function  of  the  subsystem  as  done 
at  the  University  of  Cincinnati  (Bar98).  This  specification  would  be  used  for  reasoning  about  the 
system’s  functional  consistency  and  correctness  with  a  theorem  prover  instead  of  a  model  checker 
or  equivalence  checker.  With  such  formal  specifications  for  IP  components,  users  could  automati¬ 
cally  and  reliably  search  for  and  reason  about  the  suitability  of  the  IP  for  their  application  without 
forcing  the  IP  vendor  to  compromise  the  details  of  their  implementation. 
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7-4  Concluding  Remarks 


Based  on  the  results  and  conclusions  in  this  and  previous  chapters,  the  research  objectives  have 
been  successfully  achieved.  The  Timed  Safety  Automata  (TSA)  formalism  is  rich  enough  to  express 
hardware  behavioral  properties  and  all  the  necessary  timeliness  requirements.  How  to  use  TSA  to 
model  hardware  components  and  specify  required  behaviors  and  timing  was  canonically  defined.  An 
efficient  parallel  TSA  composition  procedure  was  defined  to  support  design  and  verification  of  more 
complex  systems.  The  Timed  Logic  Conformance  (TLC)  relation  was  formally  defined  and  specifies 
when  one  TSA  satisfies  the  timing  and  behavioral  requirements  of  another  TSA.  TLC  is  loose 
enough  to  give  designers  the  structural,  temporal,  and  behavioral  freedom  they  need  to  implement 
efficiently.  TLC  does  not  sacrifice  the  fundamental  requirements  to  match  specification  inputs 
and  safely  allow  implementation  outputs.  The  TLC  partial  order  has  the  necessary  mathematic 
properties  for  meaningful  verification.  The  tractable  computational  procedure  (TLCS)  calculates 
when  the  TLC  relation  holds.  TLCS  successfully  demonstrated  the  utility  of  the  TLC  relation  on 
benchmark  circuit  design  problems,  and  supported  the  development  of  a  powerful  and  relatively 
efficient  top-down  hierarchical  verification  methodology. 
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partial  order  relationship  defined  over  TSA  state  space.  TLC  defines  when  one  system  is  an  acceptable  implementation  of  another 
by  asymmetric  action-matching  requirements  for  specification  inputs  and  implementation  outputs.  TLC  intuitively  and 
pragmatically  supports  writing  abstract  specifications  and  verifying  them  against  implementations.  TLC  scales  up  by  substituting 
verified  s^cifications  for  implementations  and  hierarchically  verifying  larger  systems.  The  TLC  verification  process  is  more 
efficient  than  the  circularly  dependent  assumes-guarantees  verification  methodology.  The  TLC  verification  methodology  explicitly 
captures  environmental  timing  properties  in  the  system  specification  and  automatically  ensures  they  are  satisfied  in  the  TLC 
relation.  The  region-automata-based  Timed  Logic  Conformance  System  (TLCS)  implements  TSA  parallel  composition  and  a  TLC 
decision  procedure.  TLCS  is  used  to  hierarchically  verify  the  STARI  (Self-Timed  at  Receiver's  Input)  asynchronous  circuit  for 
communicating  safely  between  clock-skewed  systems. 
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Fonnd  Verification  of  Digital  Electronics,  Timed  Safety  Automata,  Region  Automata,  Bisimulation,  Partial  Order  Refinement 
Calculus  of  Communicating  Systems,  Timing  Verification. 
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